#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    15
    Rep Power
    0

    Help with passing a query string


    I want to pass some data using a query string, but have run into a problem.
    The line of code is as follows:
    <td style="text-align:center; width:5%;"><a href=xxx.php?HouseholdID=<? echo $HouseholdID . '&HouseholdName=' . $HouseholdName; ?> ><img src=pencil.gif border=0</a></td>

    The HouseholdName displays correctly in the table column with the full name i.e. Smith, John, but when the query string runs only the value "Smith" is returned instead of the full name Smith, John. Is this because of the comma between the last and first name and is there a way around this?

    Thanks,
    Tom
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    this is the same problem as last time when you inserted raw variables into query strings.

    You need to urlencode() every variable before you can safely insert it into a URL. Otherwise you'll end up with a complete mess or even a gigantic security hole.

    I hope you at least applied htmlentities() to $HouseholdID etc.? If you didn't, people can insert anything into your page and steal your users' cookies, redirect them to a malware site and whatnot.

IMN logo majestic logo threadwatch logo seochat tools logo