2

I have been given a database whose content I can't modify. Everything has been going fine until I was passing some variables in a URL through a link, and an apostrophe in one of the variables (i.e "Frank's Used Cars") is causing the variables behind it to not be passed.

This is what is currently being passed:

&var1=600&miles=44000&var2=Frank

When it should be like this:

&var2=600&miles=44000&var2=Frank's%20Used%20Cars%20&var3=111111111

As I said the problem is with the apostrophe. I've tried changing the 'dealer' field in my database on PHP myadmin to 'utf8_swedish_ci' and also changed it to this on the MySQL connection collation from 'latin1_swedish_ci'.

Obviously if I take the apostrophe out all is fine and dandy but I can't do this. Any help would be great!

                            echo"<td>";
                echo$row->var1;
            echo"</td>";
            echo"<td>";
                echo$row->var2;
            echo"</td>";
            echo"<td>";
                echo$row->dealer;
            echo"</td>";
            echo"<td><a href='look.php?price=$row->price&miles=$row->miles&dealer=$row->dealer'>More Info</a>

dynamic url link:

echo"<td>";
                $url="look.php?make=".urlencode($row->make)."&model=".urlencode($row->model)."&colour=".urlencode($row->colour)."&Reg=".urlencode($row->Reg)."&miles=".urlencode($row->miles)."&price=".urlencode($row->price)."&region=".urlencode($row->region)."&miles=".urlencode($row->miles);
            echo"$urlHTML=htmlspecialchars($url)"; 
            echo "<a href=\"$urlHTML\">More Info</a>";
            echo"</td>";
Isaac Bennetch
  • 11,830
  • 2
  • 32
  • 43
user1327746
  • 37
  • 1
  • 4
  • 8
    STOP. STOP. FULL STOP. Read up on [SQL Injection](http://en.wikipedia.org/wiki/SQL_injection). Then search for SO on how to prevent it. Problem "magically solved"! Plus, it will avoid the cases of someone *deleting all your content*. –  Apr 11 '12 at 22:41
  • **You are leaving yourself wide open to SQL injection attacks.** Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. http://bobby-tables.com/php has examples to get you started. – Andy Lester Aug 19 '13 at 12:20

4 Answers4

1

SQL injection has been mentioned, urlencode has been mentioned, but it's not clear from your question at what point the data is getting broken.

But the solution, regardless of where it is breaking is the same:

  1. always escape data at the point where it leaves PHP
  2. always use the apropriate method for escaping data based on where it is going

To write data into a URL, use urlencode.

To write data into HTML use htmlentities()

To write data into XML use htmlspecialchars()

To write string data into a 7-bit email use quoted_printable_encode()

To write binary data into an email, make the email MIME and base64 encode the data or use uuencode()

To write data into an MySQL query string, use mysql[i]_real_escape_string() or parameter binding

...

Community
  • 1
  • 1
symcbean
  • 47,736
  • 6
  • 59
  • 94
0

Refer to this function. It will let you, after you have constructed your url string, to automagically escape it so that problem doesn't arise - or many others like it.

Nathaniel Ford
  • 20,545
  • 20
  • 91
  • 102
  • Not extremely helpful if it escapes *everything* -- all those percent signs that are already part of existing URL-encoding would get escaped too. – cHao Apr 11 '12 at 22:40
  • What percent signs? The ones in his output? Because the escaping function will actually insert %20 for spaces, as it should to properly encode a url. – Nathaniel Ford Apr 11 '12 at 22:41
  • But something's already doing that, as evidenced by the fact that the `%20`s already *exist* in the name... – cHao Apr 11 '12 at 22:43
  • 1
    This is not the problem. `'` is valid in that portion of a URI. –  Apr 11 '12 at 22:43
  • It's more likely he's not encoding the URL correctly in his html, in which case htmlentities() would be used – Paul Dixon Apr 11 '12 at 22:44
  • @user1327746 Can you clarify how you're building the url string? I think that is where we are all going different directions. pst is right; it seems as though there is a quoting error in how your php is constructing the url string. – Nathaniel Ford Apr 11 '12 at 22:45
  • Ok, so basically i run an SQL query, then echo out the results in a while loop i.e echo$row->dealer. i then pass this with a simple a href link to another page, then use a GET function to retrieve them. Im pretty new to php so just working my way through it. – user1327746 Apr 11 '12 at 22:58
  • Am i right in thinking that using a function to strip any unnecessary characters (i.e as with an SQL injection) is what i need to look at? – user1327746 Apr 11 '12 at 23:00
  • @user1327746: Stripping chars is the lazy way out. A database can hold, and a web page can display, any characters you want it to. The only issue is putting the chars into a format that won't break stuff. SQLwise, if you use prepared statements, that's already 99% done for you. JSwise, `some_var = = json_encode($value) ?>;`. And for HTML, `= htmlentities($value, ENT_QUOTES) ?>`. – cHao Apr 11 '12 at 23:19
  • Ok guys so ive posted in my original question how my results are displayed and how the link sends them. Could you point me in the direction of where i need to use the function to stop the apostrophe (by using htmlentities or real escape string – user1327746 Apr 12 '12 at 00:02
0

Firstly, there are some characters which need to be escaped in a URL, so use urlencode to build up your url.

$url="look.php?price=".urlencode($row->price).
   "&miles=".urlencode($row->miles).
   "&dealer=".urlencode($row->dealer);

That will ensure your URL works as intended. This should fix your particular problem, but if you want to produce valid HTML (and why wouldn't you!) you'd encode that URL for HTML with htmlspecialchars

$urlHTML=htmlspecialchars($url); 
echo "<td><a href=\"$urlHTML\">More Info</a>";
Paul Dixon
  • 295,876
  • 54
  • 310
  • 348
  • dixin Hi paul ive built my link using you metod but now my variables passed from the my homepage form seem to be becoming unset (Index undefined) i have edited my original question with how ive built the link so far. Also the $urlhtml variable is not defined. – user1327746 Apr 12 '12 at 11:20
  • That's because you're echoing PHP code rather than executing it! Compare your code with my example! – Paul Dixon Apr 12 '12 at 11:54
  • Many thanks Paul. Had to do a few other mod's elsewhere on the DB but i now have %27! – user1327746 Apr 12 '12 at 13:17
-2

Try: $code = str_replace("'", "\'", $code);

ehime
  • 8,025
  • 14
  • 51
  • 110
  • 3
    Yeah, no. This does not even address the real issue. –  Apr 11 '12 at 22:42
  • No it doesn't but it still works, if he has unsafe sql code there's more of a problem, but the above will STILL work.... I agree with pst, look at what you're doing first. You're passing insecure code. Look into database preparatory statements first. http://php.net/manual/en/function.mysql-real-escape-string.php – ehime Apr 11 '12 at 22:44
  • 1
    Or better yet, ***stop freaking using `mysql` functions and building SQL by hand***. There have been better alternatives for almost 10 years. All of which support prepared statements, which make `mysql_real_escape_string` look downright prehistoric (*which it is*). – cHao Apr 11 '12 at 22:47
  • If the guy doesn't get SO is he really going to be able to use PDO though? We can tell him to use PDO->prepare() but is he going to know how? my 0.2c – ehime Apr 11 '12 at 22:51
  • 1
    @cHao An SO'er after my own heart ;-) –  Apr 11 '12 at 22:53
  • 1
    He will if it's presented as *the* way to do things. As it is, people are saying "use `mysql_real_escape_string`; it'll solve your problem" when the *real* problem is they're cobbling SQL together as if they were a freaking compiler -- when PDO or even mysqli could be doing the heavy lifting for them. – cHao Apr 11 '12 at 22:54
  • Granted, I think its just a bit out of his league at this point in time. Maybe after he gets caught with his hand in the cookie jar after a "Name'); DROP TABLE USERS;" He'll learn the hard way and refactor his code. – ehime Apr 11 '12 at 22:57