Passing Text String Through Link

Forum Moderators: coopster

Message Too Old, No Replies

Passing Text String Through Link

TheRealTerry

1:43 pm on Apr 28, 2004 (gmt 0)

I am creating a setup where a user can return to their last search results after editing a file within those results, and I've done this by passing the mysql query string through the URLs of links. The problem I think I'm having is that this text string contains spaces (ie: $string = "SELECT * FROM...") and this creates a funky URL (search.php?id=1?string=SELECT * FROM... that the browser chokes on. The first value gets passed but the second is lost.

Do I need to encode the value of $string somehow to get it to pass to the next page?

mykel79

2:22 pm on Apr 28, 2004 (gmt 0)

First of all, when you add a second value, it has to be after a & sign, not?

So it would be
script.php?var1=value1&var2=value2

If it still doesn't work, you can try using str_replace() to change the spaces into %20 before putting them into the query.

jatar_k

4:56 pm on Apr 28, 2004 (gmt 0)

passing an sql query in the url is a very bad idea. You expose more than enough information to the user for them to hack your site.

what if they put this in the url

delete from yourtable

bye bye data. What if they insert something to allow them to exploit it.

Pass parts of the query in the url and then build your query from there.

if your query is

select * from mytable where field1='somevalue' and field2='otherval'

have your url look something like so
search.php?id=1&f1=somevalue&f2=otherval

then in search.php
$query = "select * from mytable where field1='" . $_GET['f1'] . "' and field2='" . $_GET['f2'] . "'";

you should also always test user entered data to protect yourself even more from the possibilty of sql injection.

TheRealTerry

5:20 pm on Apr 28, 2004 (gmt 0)

Excellent responses! I didn't even think about the MySQL security whole I was opening there, not a real issue on this site since it's private, but I could have just as easily have done it somewhere public down the line. Thanks for steering me correct there, and for correcting my other newbie mistakes!