passing quotes through url PHP

Question

I'm passing ProductName through a URL and 2 of the names have single quotation marks in them (which is causing the buttons to not work) is there any work around for this? I've tried playing with htmlentities() but that's not fixing the issue. I get the Uncaught SyntaxError: Unexpected identifier error when I try clicking on a Product that has a quote in it's name.

    <?php

$search = $_GET['search'];

require 'db/connect.php';


$result = $db->query("SELECT * FROM products WHERE ProductSearch = '$search'");
if($result->num_rows){
echo '<table border="0" cellspacing="0" style="width:100%;">';
echo '<tr><td></td><td><u>Product Name</u></td><td><u>Price</u></td><td><u>Wisconsin Artisans</u></td></tr>';
while($row = $result->fetch_assoc()){
    $ProductId    = $row['ProductId'];
    $ProductImage = htmlentities($row['ProductImage'], ENT_QUOTES, 'UTF-8');
    $ProductName  = $row['ProductName'];
    $ProductPrice = $row['ProductPrice'];
echo '<tr>';
echo '<td><a href="productpage.php?productid=', $row['ProductId'],'"><img height="80px" width="80px "src="', $row['ProductImage'] ,'"/></a></td>';
echo '<td><a id="productlink" href="productpage.php?productid=', $row['ProductId'],'">', $row['ProductName'], '</a></td>';
echo '<td> $', $row['ProductPrice'], '</td>';
echo '<td> ', $row['ProductVendor'], '</td>';
//echo '<td><input type=button onClick="location.href=\'cart.php?ProductId=', $row['ProductId'], '\'" value=\'Add to Cart\' id="addtocart"></td></tr>';
echo '<td><input type=button onClick="location.href=\'cart.php?ProductId=', $ProductId, '&ProductName=', $ProductName, '&ProductPrice=', $ProductPrice, '&ProductQty=1\'" value=\'Add to Cart\' id="addtocart"></td></tr>';
}

echo '</table>';
$result->free();

}
else{

    echo '<h3 style="color:black;">No products here just yet, but there will be soon!</h3>';

}
?>

You can create your own function to convert special chars into others, for example, single quote into ";sq;" or something like that (use your imagination). — Jose Manuel Abarca Rodríguez, Jun 11 '15 at 23:20
How would I go about that Jose? I'm kind of learning as I go... — MPStimpson, Jun 11 '15 at 23:23
With JavaScript = http://stackoverflow.com/questions/784586/convert-special-characters-to-html-in-javascript — Jose Manuel Abarca Rodríguez, Jun 11 '15 at 23:24
With PHP = http://stackoverflow.com/questions/28885466/how-to-convert-special-characters-in-html-using-php — Jose Manuel Abarca Rodríguez, Jun 11 '15 at 23:27
Why do you set all the variables like `$ProductName`, but you don't use them in the `echo` statements? — Barmar, Jun 11 '15 at 23:45
You are in risk of mysql injection attack with the code you use I advise you to make something more secure than that — Mohamed Belal, Jun 12 '15 at 00:01

developerwjk · Answer 1 · 2015-06-11T23:48:05.740

0

$ProductImage = htmlentities($row['ProductImage'], ENT_QUOTES, 'UTF-8');
...
echo '....', $row['ProductImage'],'">....

You already converted both double and single quotes to their HTML entities, but then you don't use the variable in which you did so. You should be using $ProductImage rather than $row['ProductImage'] in your echo.

edited Jun 11 '15 at 23:48

answered Jun 11 '15 at 23:30

developerwjk

8,619
2
17
33

Should add a note about SQL injections as well. `$search = $_GET['search']; $result = $db->query("SELECT * FROM products WHERE ProductSearch = '$search'");` – chris85 Jun 11 '15 at 23:37
oh.... Woops haha, I haven't had any trouble running it with comas until now! I replaced all the comas with periods, but I'm still getting an error. It's only with products that have single quotes in the ProductName. – MPStimpson Jun 11 '15 at 23:41
You can replace the single quotes with the HTML entity: `$str = str_replace("'", "'", $str);` – developerwjk Jun 11 '15 at 23:42
`echo` allows multiple arguments, separated with comma. – Barmar Jun 11 '15 at 23:42
@developerwjk It's better to use `htmlentities()` to perform your substitutions. – Barmar Jun 11 '15 at 23:43
@Barmar he's supposeldy already running htmlentities with ent_quotes....lol, I see the problem now. Editing my answer. – developerwjk Jun 11 '15 at 23:45

score 0 · Answer 2 · answered Jun 11 '15 at 23:48

0

Change this line:

echo '<td><input type=button onClick="location.href=\'cart.php?ProductId=', $ProductId, '&ProductName=', $ProductName, '&ProductPrice=', $ProductPrice, '&ProductQty=1\'" value=\'Add to Cart\' id="addtocart"></td></tr>';

to:

echo '<td><input type=button onClick="location.href=\'cart.php?ProductId=', $ProductId, '&ProductName=', urlencode($ProductName), '&ProductPrice=', $ProductPrice, '&ProductQty=1\'" value=\'Add to Cart\' id="addtocart"></td></tr>';

urlencode() will encode the product name correctly so it can be put in a URL. This will convert quote characters to %39.

answered Jun 11 '15 at 23:48

Barmar

741,623
53
500
612

That worked like a charm! How do I un encode it afterwords? I've passed it to the cart, but now It's displaying as ' – MPStimpson Jun 11 '15 at 23:53
That's coming from calling `htmlentities()` on the parameter. You should only do that when you're displaying something in HTML, not using it in PHP code. – Barmar Jun 11 '15 at 23:59

score 0 · Accepted Answer · answered Jun 11 '15 at 23:59

This changing this 'location.href=\'cart.php?ProductId=', $ProductId, '&ProductName=', $ProductName, '&ProductPrice=', $ProductPrice, '&ProductQty=1\'"

To this: location.href=\'cart.php?ProductId='. $ProductId .'&ProductName='. $ProductName .'&ProductPrice='. $ProductPrice .'&ProductQty=1\'"

Also try using heredoc for multiline strings and use the curly braces to render variable values, you won't have problems with quitation:

echo <<<END
multi
line
string
variable={$var}
awesome!
END;

see https://php.net/language.types.string

passing quotes through url PHP

3 Answers3