The ampersand ('&') is used to separate different parameters in the query string, so you can't use an unencoded ampersand as part of a query string for other purposes. For example, you might have the a url with query string like this:

http://www.example.com/index.php?foo=1&bar=2

In this case the ampersand only shows that 'foo' and 'bar' are separate parameters. In the case of the 'var=Manufacturer--First&Second' query string, your script interprets 'Second' as an additional (empty) parameter.

There should be no problem either quoting the query string value, or url-encoding it [instruct.tri-c.edu]. What problem did you experience when url-encoding the ampersand? Your sample query string should work as far as I can see.

If I create a php file containing the following code:

<?php
print_r($_GET);
?>

...then access that file with your sample query string:

http://www.example.com/test.php?var=Manufacturer--First%26Second

The program output is:

Array ( [var] => Manufacturer--First&Second ) 

-- b

You need a 2-stage process for all parameters in URLs:

1

urlencode()

the parameter
2

htmlentities()

the result
3 Use `&' as the separator

(otherwise entity-strings within a parameter will get converted by the browser to the actual entity; see here:
[w3.org ])

So,

$param1='<some text>'; 
$param2='<some more text>'; 
$sep='&amp;'; 
$url='http://example.com/test.php'; 
 
$param1=htmlentities( urlencode( $param1 )); 
$param2=htmlentities( urlencode( $param2 )); 
$url="$url?var=$param1$sep$param2";

Hi all,

A link in the address bar looking like this:-

index.php?q=foo&bar=pizza

Should be made like this:-

index.php?q=foo&bar=pizza

always put the ampersand like this so that it functions & gets parsed correctly into to address bar.

Also: If i am getting by $_Request[var]

This is poor syntax from a secure & error_reporting point of view, it should be done like this: $_GET['var'] this uses the correct way of accessing the query string & parameters passed through the URL. Note the use of single quotes (you can use double, but that's a preference issue :)) if you don't do that, php will error and give you a notice "undefined index, presumed constant", pop error reporting on, you'll see what I mean.

In the past it has been discussed about the use of $_REQUEST and it's vulnerabilities, fine to use it for localhost/developing, but not for release as you are exposing a lot of information about your site -potentially- to hackers.

Cheers,
MRb

I use AlexK's method, urlencode or rawurlencode on the values themselves, tape it all together with & A note on this,

index.php?q=foo&bar=pizza

You output this in your pages, not in the address bar, so it will be valid (X)HTML output. If you see the & in your address bar you'll need to parse for _$_GET['amp;somevar']. Try it, name this entity.php. :-) Don't change it, just look at the results when you click the links.

<?php 
header("content-type:text/html"); 
if (isset($_GET['amp;oops'])) { 
 echo "<p>Entity in the address bar is " . $_GET['amp;oops'] . "</p> 
 <p>Now let's do it right:  
 <a href=\"entity.php?test=1&amp;oops=Entity-itis\">Click me</a>.</p>"; 
} 
else if (isset($_GET['oops'])) { 
 echo "<p>Got it, <strong>no</strong> entity in the address bar is " . $_GET['oops'] . "</p>"; 
} 
else { 
 echo "<p>To validate your code, apply htmlentities to text. 
 In the following link, the query string is  
 entity.php?test=1&amp;amp;oops=Entity-itis - watch the 
 address bar to see what it does by 
 <a href=\"entity.php?test=1&amp;amp;oops=Entity-itis\">Clicking this link</a></p>"; 
} 
?> 

Thanks for all very helpful replies.
I am still having the same issue as tried by all above mentioned ways and i am badly stuck what is the actual reason it is not getting the value after & sign, though i can see in my url as: First & Second(if passing &), First %26 Second (if using %26), First & Second (incase of &) but in each case second operand after & is not being retreived either by Request or Get, my page encoding is utf-8 and tried with iso-8859-1 as well.

I want to add one more note that parameters are being passed by variable as var which shouldn't be a problem as i have tried even all possible mentioned ways of conversions before passing var.

Here's an example of a page on my own site where I need to pass ampersands in a query string for use at the other end (I'll send the actual URL of the originating page to you so that you can check it out). The originating page uses the method that I've outlined previously:

url: <my_site>/search.php?id=PCI%5CVEN_134D%26DEV_7891%26SUBSYS_0001134D#results
status bar view: <my_site>/search.php?id=PCI\VEN_134D&DEV_7891&SUBSYS_0001134D#results

I got the solution, I have tried it as %2526 which means '%26' as %25 is the code of '%' so %2526 means %26 which works fine but inside query it is showing as & but query is not working.