Results 1 to 9 of 9
  1. #1
    Join Date
    Mar 2007
    Posts
    212

    Question Unanswered: using $_GET within a php class does not recognise & in query string

    Hi

    I have a php class within which I am trying to retrieve the content of the following querystring:

    Code:
    index.php?SearchResults&SearchString=flower&AllWords=off&Page=1
    The constructor is as follows:

    HTML Code:
    // Class constructor
    public function __construct()
    {
         if (isset ($_GET['SearchResults']))
         {
    	  $this->mSearchString = ($_GET['SearchString']);
    	  $this->mAllWords = isset ($_GET['AllWords']) ;
            
         }
    }
    However i keep getting the following error message:

    Code:
    ERRNO: 8
    TEXT: Undefined index:  SearchString
    This i have identified is due to the query string having a '&' to separate each name value pairs instead of just '&'. When i manually edit the query string to remove the amp; portion of the ampersand it seems to work strangely enough. Why does $_GET not recognise '&' when used within a class?

  2. #2
    Join Date
    Mar 2009
    Posts
    11
    It's because that's what you're passing in the URI.

    The '&' is getting stripped off and 'amp;' is part of the $_GET row index names after the first one.

    i.e.

    Code:
    Array
    (
        [SearchResults] => 
        [amp;SearchString] => flower
        [amp;AllWords] => off
        [amp;Page] => 1
    )
    Run this to see what I mean:
    Code:
    test.php?SearchResults&SearchString=flower&AllWords=off&Page=1
    <?php // test.php
    
    foreach($_GET as $variable => $value) {
      $after[str_replace('amp;','',$variable)] = $value;
    }
    
    print "<pre>";
    
    print '<strong>Before:</strong><br>';
    print_r($_GET);
    
    print '<br><strong>After:</strong><br>';
    print_r($after);
    
    print "</pre>";
    
    ?>
    Code:
    Before:
    Array
    (
        [SearchResults] => 
        [amp;SearchString] => flower
        [amp;AllWords] => off
        [amp;Page] => 1
    )
    
    After:
    Array
    (
        [SearchResults] => 
        [SearchString] => flower
        [AllWords] => off
        [Page] => 1
    )

  3. #3
    Join Date
    Mar 2007
    Posts
    212
    Code:
    Before:
    Array
    (
        [SearchResults] => 
        [amp;SearchString] => flower
        [amp;AllWords] => off
        [amp;Page] => 1
    )
    
    After:
    Array
    (
        [SearchResults] => 
        [SearchString] => flower
        [AllWords] => off
        [Page] => 1
    )
    [/QUOTE]

    yes I understand what happening now. Thanks. Is there any php function or class to sanitize all user input either through $_GET or $_POST to prevent sql injection and cross site attacks?

  4. #4
    Join Date
    Mar 2009
    Posts
    11
    Use mysql_real_escape_string(...).
    (Note: You must have an active db connection for mysql_real_escape_string() to work.)

    See:
    Chris Shiflett: Security Corner: SQL Injection
    NYPHP - PHundamentals - Functions for Storing Data Submitted From a Form and Retrieving Data from a Database

  5. #5
    Join Date
    Mar 2007
    Posts
    212
    When I have a search string that contains an apostrophe e.g flower's it doesnt work - please see below.

    PHP Code:
    test.php?SearchResults&amp;SearchString=flower\&#039;s&amp;AllWords=off&amp;Page=1 
    results:

    Code:
    Before:
    Array
    (
        [SearchResults] => 
        [amp;SearchString] => flower\\
    )
    
    After:
    Array
    (
        [SearchResults] => 
        [SearchString] => flower\\
    )
    Last edited by ozzii; 03-21-09 at 12:01.

  6. #6
    Join Date
    Mar 2009
    Location
    Chelan, Washington, USA
    Posts
    2
    You still would have to use mysql_real_escape_string on Flower's, because MySQL will not allow the ' anyway.

    But one solution to dealing with the query string issue is to use the PHP function: htmlspecialchars_decode. That will cover the &amp;, back into straight &, without having to do anything special.

  7. #7
    Join Date
    Mar 2007
    Posts
    212
    Quote Originally Posted by erick_the_redd

    But one solution to dealing with the query string issue is to use the PHP function: htmlspecialchars_decode. That will cover the &amp;, back into straight &, without having to do anything special.
    Am already using htmlspecialchars_decode to convert special chars. But it does not appear to be converting or recognizing &#039.

    Am using the the follwoing to encode the query string:

    Code:
    htmlspecialchars($link, ENT_QUOTES)
    Heres the encoded querystring - not how the apostrophe has been encoded:

    PHP Code:
    test.php?SearchResults&amp;SearchString=flower\&#039;s&amp;AllWords=off&amp;Page=1 
    note: in the above there should be a backslash after flower (\ & # 039 but the editor on dbforums keeps converting it as above despite using the code tags!

    Am using the following to decode the query string:

    Code:
    htmlspecialchars_decode($queryString, ENT_QUOTES)
    it seems to decode other special chars e.g double quotes such as flower"s but not single quotes such as flower's.

    I think it is an issue with the html_translation_table used. see below and note the difference in the single quotes:

    Code:
    Proof:
      Code:
    --------------------
    <?php
        var_dump(get_html_translation_table(HTML_SPECIALCHARS,ENT_QUOTES));
        var_dump(htmlspecialchars('\'',ENT_QUOTES));
    ?>
    --------------------
    
      Output:
    --------------------
    array
      '"' => "&quot;"
      ''' =>  "&#39;" <- should be showing as & # 39; without the spaces
      '<' => "&lt;"
      '>' => "&gt;"
      '&' => "&amp;"
    
    "&#039;" <- should be showing as & # 039; without the spaces
    --------------------
    However even when I manually edit the query string in the url by removing the 0 from &#039 and hitting refresh it still doesnt work???? Also I am unable to show what is happening because the editor on dbforms converts the array output above into aprostrophes! See this link instead PHP: htmlspecialchars_decode - Manual
    Last edited by ozzii; 03-22-09 at 07:09.

  8. #8
    Join Date
    Mar 2009
    Posts
    11
    Which version of PHP are you using?

    htmlspecialchars_decode() works on my system(s).

    I assume if htmlspecialchars_decode() isn't throwing an error, you're using PHP 5.1 or newer, but as stated, it's working for me.

    As a matter of fact, this:
    print htmlspecialchars_decode('SearchResults&amp;SearchS tring=flower & # 039; s&amp;AllWords=off&amp;Page=1',ENT_QUOTES);
    (note: I put spaces in the entity so it would display)

    outputs this:

    SearchResults&SearchString=flower's&AllWords=off&P age=1
    (Not sure why a space is getting added between the 'P' and the 'a' in page in the post)
    Last edited by dgreenhouse; 03-23-09 at 03:02.

  9. #9
    Join Date
    Mar 2007
    Posts
    212
    Quote Originally Posted by dgreenhouse
    Which version of PHP are you using?

    htmlspecialchars_decode() works on my system(s).

    I assume if htmlspecialchars_decode() isn't throwing an error, you're using PHP 5.1 or newer, but as stated, it's working for me.

    As a matter of fact, this:
    print htmlspecialchars_decode('SearchResults&amp;SearchS tring=flower & # 039; s&amp;AllWords=off&amp;Page=1',ENT_QUOTES);
    (note: I put spaces in the entity so it would display)

    outputs this:

    SearchResults&SearchString=flower's&AllWords=off&P age=1
    (Not sure why a space is getting added between the 'P' and the 'a' in page in the post)

    Ok i've tested the above and it works using straight forward php so it must be something to do with smarty template engine that am using. Within my php class am using the following to get the querystring:

    Code:
    $search_parameters = Link::QueryStringToArray($_SERVER['QUERY_STRING']);
    the class method QueryStringToArray is as follows:

    Code:
    public static function QueryStringToArray($queryString)
    	{
    		$result = array();
    		if ($queryString != '')
    		{
    			
    			$elements = explode('&', htmlspecialchars_decode($queryString, ENT_QUOTES));
    			foreach($elements as $key => $value)
    			{
    				$element = explode('=', $value);
    				$result[urldecode($element[0])] = isset($element[1]) ? urldecode($element[1]) : '';
    			}
    		}
    		return $result;
    	}
    What i have identified is that $_SERVER['QUERY_STRING'] is only retrieving the following part of the querystring:

    HTML Code:
    SearchResults&SearchString=flower\&
    Which means its truncating it once it sees the #. Dont understand why its doing this because it seems to work fine when using straight forward php but not so whne used with smarty.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •