using $_GET within a php class does not recognise & in query string

ozzii · #1 (**permalink**) 03-19-09, 05:47

Hi

I have a php class within which I am trying to retrieve the content of the following querystring:

Code:

index.php?SearchResults&amp;SearchString=flower&amp;AllWords=off&amp;Page=1

The constructor is as follows:

HTML Code:

// Class constructor
public function __construct()
{
     if (isset ($_GET['SearchResults']))
     {
	  $this->mSearchString = ($_GET['SearchString']);
	  $this->mAllWords = isset ($_GET['AllWords']) ;
        
     }
}

However i keep getting the following error message:

Code:

ERRNO: 8
TEXT: Undefined index:  SearchString

This i have identified is due to the query string having a '&' to separate each name value pairs instead of just '&'. When i manually edit the query string to remove the amp; portion of the ampersand it seems to work strangely enough. Why does $_GET not recognise '&' when used within a class?

dgreenhouse · #2 (**permalink**) 03-19-09, 17:51

It's because that's what you're passing in the URI.

The '&' is getting stripped off and 'amp;' is part of the $_GET row index names after the first one.

i.e.

Code:

Array
(
    [SearchResults] => 
    [amp;SearchString] => flower
    [amp;AllWords] => off
    [amp;Page] => 1
)

Run this to see what I mean:

Code:

test.php?SearchResults&amp;SearchString=flower&amp;AllWords=off&amp;Page=1
<?php // test.php

foreach($_GET as $variable => $value) {
  $after[str_replace('amp;','',$variable)] = $value;
}

print "<pre>";

print '<strong>Before:</strong><br>';
print_r($_GET);

print '<br><strong>After:</strong><br>';
print_r($after);

print "</pre>";

?>

Code:

Before:
Array
(
    [SearchResults] => 
    [amp;SearchString] => flower
    [amp;AllWords] => off
    [amp;Page] => 1
)

After:
Array
(
    [SearchResults] => 
    [SearchString] => flower
    [AllWords] => off
    [Page] => 1
)

ozzii · #3 (**permalink**) 03-20-09, 05:54

Code:

Before:
Array
(
    [SearchResults] => 
    [amp;SearchString] => flower
    [amp;AllWords] => off
    [amp;Page] => 1
)

After:
Array
(
    [SearchResults] => 
    [SearchString] => flower
    [AllWords] => off
    [Page] => 1
)

[/QUOTE]

yes I understand what happening now. Thanks. Is there any php function or class to sanitize all user input either through $_GET or $_POST to prevent sql injection and cross site attacks?

dgreenhouse · #4 (**permalink**) 03-21-09, 09:04

Use mysql_real_escape_string(...).
(Note: You must have an active db connection for mysql_real_escape_string() to work.)

See:
Chris Shiflett: Security Corner: SQL Injection
NYPHP - PHundamentals - Functions for Storing Data Submitted From a Form and Retrieving Data from a Database

ozzii · #5 (**permalink**) 03-21-09, 10:57

When I have a search string that contains an apostrophe e.g flower's it doesnt work - please see below.

PHP Code:


			
test.php?SearchResults&amp;SearchString=flower\&#039;s&amp;AllWords=off&amp;Page=1

results:

Code:

Before:
Array
(
    [SearchResults] => 
    [amp;SearchString] => flower\\
)

After:
Array
(
    [SearchResults] => 
    [SearchString] => flower\\
)

erick_the_redd · #6 (**permalink**) 03-21-09, 14:15

You still would have to use mysql_real_escape_string on Flower's, because MySQL will not allow the ' anyway.

But one solution to dealing with the query string issue is to use the PHP function: htmlspecialchars_decode. That will cover the &, back into straight &, without having to do anything special.

ozzii · #7 (**permalink**) 03-22-09, 05:52

Quote:

Originally Posted by erick_the_redd

But one solution to dealing with the query string issue is to use the PHP function: htmlspecialchars_decode. That will cover the &, back into straight &, without having to do anything special.

Am already using htmlspecialchars_decode to convert special chars. But it does not appear to be converting or recognizing &#039.

Am using the the follwoing to encode the query string:

Code:

htmlspecialchars($link, ENT_QUOTES)

Heres the encoded querystring - not how the apostrophe has been encoded:

PHP Code:


			
test.php?SearchResults&amp;SearchString=flower\&#039;s&amp;AllWords=off&amp;Page=1

note: in the above there should be a backslash after flower (\ & # 039

but the editor on dbforums keeps converting it as above despite using the code tags!

Am using the following to decode the query string:

Code:

htmlspecialchars_decode($queryString, ENT_QUOTES)

it seems to decode other special chars e.g double quotes such as flower"s but not single quotes such as flower's.

I think it is an issue with the html_translation_table used. see below and note the difference in the single quotes:

Code:

Proof:
  Code:
--------------------
<?php
    var_dump(get_html_translation_table(HTML_SPECIALCHARS,ENT_QUOTES));
    var_dump(htmlspecialchars('\'',ENT_QUOTES));
?>
--------------------

  Output:
--------------------
array
  '"' => "&quot;"
  ''' =>  "&#39;" <- should be showing as & # 39; without the spaces
  '<' => "&lt;"
  '>' => "&gt;"
  '&' => "&amp;"

"&#039;" <- should be showing as & # 039; without the spaces
--------------------

However even when I manually edit the query string in the url by removing the 0 from &#039 and hitting refresh it still doesnt work???? Also I am unable to show what is happening because the editor on dbforms converts the array output above into aprostrophes! See this link instead PHP: htmlspecialchars_decode - Manual

dgreenhouse · #8 (**permalink**) 03-23-09, 00:52

Which version of PHP are you using?

htmlspecialchars_decode() works on my system(s).

I assume if htmlspecialchars_decode() isn't throwing an error, you're using PHP 5.1 or newer, but as stated, it's working for me.

As a matter of fact, this:
print htmlspecialchars_decode('SearchResults&SearchS tring=flower & # 039; s&AllWords=off&Page=1',ENT_QUOTES);
(note: I put spaces in the entity so it would display)

outputs this:

SearchResults&SearchString=flower's&AllWords=off&P age=1
(Not sure why a space is getting added between the 'P' and the 'a' in page in the post)

ozzii · #9 (**permalink**) 03-25-09, 18:13

Quote:

Originally Posted by dgreenhouse

Which version of PHP are you using?

htmlspecialchars_decode() works on my system(s).

I assume if htmlspecialchars_decode() isn't throwing an error, you're using PHP 5.1 or newer, but as stated, it's working for me.

As a matter of fact, this:
print htmlspecialchars_decode('SearchResults&SearchS tring=flower & # 039; s&AllWords=off&Page=1',ENT_QUOTES);
(note: I put spaces in the entity so it would display)

outputs this:

SearchResults&SearchString=flower's&AllWords=off&P age=1
(Not sure why a space is getting added between the 'P' and the 'a' in page in the post)

Ok i've tested the above and it works using straight forward php so it must be something to do with smarty template engine that am using. Within my php class am using the following to get the querystring:

Code:

$search_parameters = Link::QueryStringToArray($_SERVER['QUERY_STRING']);

the class method QueryStringToArray is as follows:

Code:

public static function QueryStringToArray($queryString)
	{
		$result = array();
		if ($queryString != '')
		{
			
			$elements = explode('&', htmlspecialchars_decode($queryString, ENT_QUOTES));
			foreach($elements as $key => $value)
			{
				$element = explode('=', $value);
				$result[urldecode($element[0])] = isset($element[1]) ? urldecode($element[1]) : '';
			}
		}
		return $result;
	}

What i have identified is that $_SERVER['QUERY_STRING'] is only retrieving the following part of the querystring:

HTML Code:

SearchResults&SearchString=flower\&

Which means its truncating it once it sees the #. Dont understand why its doing this because it seems to work fine when using straight forward php but not so whne used with smarty.

Internet Services

Web Development

Digital Marketing

Consumer Tech