0

I'm having some trouble passing a number to a GET sting in php, using a urlencode and then urldecode (have tried both the standard urlencode and rawurlencode). The problem is limited to numerical values, as my code works fine for everything else.

Here are relevant sections of code:

if (isset($_GET['q'])) {
        $qry = $_GET['q'];
        $qry = urldecode($qry);
    }

This is the code used for searching:

$qry = "SELECT * FROM jobs JOIN clients ON jobs.Client = clients.ClientCode WHERE JobNumber LIKE '%1%'";

            if (isset($_GET['DP']) && (strlen($_GET['DP']) > 0)) {
                $qry .= " AND DP LIKE %" . $_GET['DP'] . "%";
            } elseif (isset($_POST['DP']) && (strlen($_POST['DP']) > 0)) {
                $qry .= " AND DP LIKE '%" . $_POST['DP'] . "%'";
            }

            if (isset($_GET['JobDescription'])) {
                $qry .= " AND JobDescription LIKE '%" . $_GET['JobDescription'] . "%'";
            } elseif (isset($_POST['JobDescription']) && (strlen($_POST['JobDescription']) > 0)) {
                $qry .= " AND JobDescription LIKE '%" . $_POST['JobDescription'] . "%'";
            }

            if (isset($_GET['JobNumber'])) {
                $qry .= " AND JobNumber LIKE '%" . $_GET['JobNumber'] . "%'";
            } elseif (isset($_POST['JobNumber']) && (strlen($_POST['JobNumber']) > 0)) {
                $qry .= " AND JobNumber LIKE '%" . $_POST['JobNumber'] . "%'";
            }

This is the code used to encode the query after it has been processed:

$qry = urlencode($qry);

A string is output to be used in the pagination, an example being http://localhost/cpc/jobsearch.php?page=2&q=SELECT+%2A+FROM+jobs+JOIN+clients+ON+jobs.Client+%3D+clients.ClientCode+WHERE+JobNumber+LIKE+%27%251%25%27+AND+DP+LIKE+%27%25754611%25%27

This is causing errors around the 754611 section of the url, and the page does not preform as intended. I believe it has something to do with the %25 (which represents a % sign, and is needed for the search) running into the value (754611 in this case) and not being decoded properly.

What am I doing wrong?

Ed King
  • 1
  • 1
    I'd say that you're already doing wrong by placing the SQL query in the URL, making **really** easy to do SQL Injection. Maybe generate the query in a prepared statement and **don't** put the query in the URL but rather the parameters used in it. – GGG May 28 '16 at 04:55
  • Do you have an example of how this might look? I had thought about using key->value pairs, but unsure how to code this. Biggest trouble is there are about 35 fields total, none are required. – Ed King May 28 '16 at 05:09
  • Check user6393499's answer for the solution to your current problem, but my suggestion would be to use a GET parameter for each of the 35 fields and try to reduce them if possible. – GGG May 28 '16 at 05:17
  • I have had some luck using str_replace to convert %25 to another character (and then doing the reverse on the $_GET end). This seems to solve it at the moment, further testing is necessary. This isn't in production yet, more important was debugging why this part of the code was not working, hence why the entire query was being used. Unfortunately reduction of the fields is not an option. It's for a database of jobs, which uses street addresses, locality, parish, parcel number etc etc, which some records have all, some have only a few details entered, depending on when they were done. – Ed King May 28 '16 at 05:48
  • user6393499's answer is the solution to your problem.... `$_GET` and `$_POST` already get `urldecode()`'d, no need to do it twice as you do in `$qry = urldecode($qry);`. – GGG May 28 '16 at 06:16

0 Answers0