/    Sign up×
Community /Pin to ProfileBookmark

Taking care of quotes in repost URL

Copy linkTweet thisAlerts:
Jan 26.2009

Hi all,
I use php for form validation. In case a field does not validate ok, I have a rePost function:

[code=php]
foreach ($_POST as $field => $value) {
$q .= $field.”=”.urlencode($value).”&”;
}
header(“Location: new_member.php?error=”.$errField.”&”.$q); die();
[/code]

The urlencode() takes good care of i.e. “&”, but what is the best way to handle single and double quotes when sending back the fields in the query string??

Thanks in advance!
/Claes

to post a comment
PHP

7 Comments(s)

Copy linkTweet thisAlerts:
@beau_kangJan 27.2009 — have you thought about doing urlencode or htmlspecialchars functions?
Copy linkTweet thisAlerts:
@claesauthorJan 27.2009 — The original function included urlencode.

I added the htmlspecialchars, so now it's:
[code=php]
foreach ($_POST as $field => $value) {
$q .= $field."=".urlencode(htmlspecialchars($value, ENT_QUOTES))."&";
}
header("Location: new_member.php?error=".$errField."&".$q); die();
[/code]
But when receiving the query string in the original form as:
[code=php]
<input id="fname" name="fname" maxlength="30" tabindex="1" value="<?=htmlspecialchars_decode(urldecode($_GET["fname"]), ENT_QUOTES)?>" />
[/code]
... I still get backslashed quotes ("This is a double quote entered in a form field").

Ideas?

/Claes
Copy linkTweet thisAlerts:
@MindzaiJan 27.2009 — You shouldn't need htmlspecialchars as well - urlencode should be enough. It looks like you probably have magic_quotes enabled. Try this:
[code=php]
if (get_magic_quotes_gpc()) {
$value = stripslashes(urldecode($_GET["fname"]));
} else {
$value = urldecode($_GET["fname"]);
}
[/code]
Copy linkTweet thisAlerts:
@JunkMaleJan 27.2009 — or convert the " to the HTML string of it &quot; and back again as required or as suggested the encode function to convert characters like " in to its &#37;## version.
Copy linkTweet thisAlerts:
@claesauthorJan 27.2009 — Mindzai,

magic_quotes was enabled so I removed the htmlspecialchars() in the repost and added stripslashes() in the original form:
[code=php]
<?
foreach ($_POST as $field => $value) {
$q .= $field."=".urlencode($value)."&";
}
header("Location: new_member.php?error=".$errField."&".$q); die();

// new_member.php
<input type="text"... ... value="<?=urldecode($_GET["fname"])?>" />
?>
[/code]
Now, if some field is not validated OK, an entered name with a single quote: d'Artagnan gets reposted as d'Artagnan (one ).

And a name with double quote (if there are any...) : Ca"rl is reposted as Ca (strips everything after ")

Any ideas?

Thanks!

/Claes
Copy linkTweet thisAlerts:
@MindzaiJan 27.2009 — Don't forget that magic_quotes will also be escaping data from $_POST and $_GET, so you will need to strip the slashes from both arrays.
Copy linkTweet thisAlerts:
@claesauthorJan 27.2009 — Finally got it working.

Thanks Mindzai ?
×

Success!

Help @claes spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.5,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,

tipper: @Samric24,
tipped: article
amount: 1000 SATS,
)...