-1
$mystring = "DTI ORIENTATION: CONSUMER PROTECTION & LEMON LAW";

After doing this, 

$mystring = htmlspecialchars("DTI ORIENTATION: CONSUMER PROTECTION & LEMON LAW");

I'm now getting an echo of just "DTI ORIENTATION: CONSUMER PROTECTION". Even if I removed the htmlspecialchars after, the string is different now.

The words after the & sign are missing along with it. What just happened? I just want to make the & sign to be included in my string to be used in mysqli_query. Please enlighten me on this one. Thank you.

code from file1.php:

$(".t_title").click(function(){
            var title = $(this).data("title");
            var training_date = $(this).data("tdate");

            location.href = "viewTrainingAttendees.php?title=" + title + "&tdate="+ training_date; 
        });

code from viewTrainingAttendees.php:

<?php 
                        $ttitle = $_GET['title'];
                        echo $ttitle;

                     ?>
MDB
  • 339
  • 4
  • 19
  • 1
    Can you show more code? because I just tried this and it works well. What version of PHP do you have? also, `htmlspecialchars` will transform `&` into `&`. – James Apr 26 '18 at 15:10
  • I see you edited the question. As @RaymondNijland said, check your field type in MySQL, 90% sure it's a `varchar` type with a limit of 20 chars (or something less than your string's length) probably. – James Apr 26 '18 at 15:11
  • Php Version 5.2.17. I already updated the question. – MDB Apr 26 '18 at 15:17
  • I think I understand now. Your question is not clear and doesn't point out the real problem IMO. What I can grasp by seeing your code is that you want to pass the title in GET method, right? – James Apr 26 '18 at 15:19
  • Your code does not contain a call to `htmlspecialchars` after all, so where is this coming from? What happens if you really **only** call it on the given string and output that? – Nico Haase Apr 26 '18 at 15:19
  • Yes sir. At first (before using htmlspecialchars), the string passes completely. But after using it, that thing happened. – MDB Apr 26 '18 at 15:20
  • It's entirely unclear how `htmlspecialchars`, MySQL, that Javascript snippet and URLs are related here. The fact is that `&` has a special meaning in both HTML and URL query strings, and you need to properly encode values respectively for HTML and URLs as needed. – deceze Apr 26 '18 at 15:22
  • I removed the htmlspecialchars() and let the $_GET['title'] pass to the variable $ttitle. But still, the words after the & don't appear anymore. – MDB Apr 26 '18 at 15:22
  • I understand now. It's not on the php side but on how to pass the string on the URL. Thank you guys for helping me. – MDB Apr 26 '18 at 15:29

1 Answers1

1

& has special meaning in a query string, it marks the start of the next key=value pair.

If you want to represent it as data, you have to percent encode it.

Use encodeURIComponent() on any plain text string you are inserting into a URL.

Better yet, use the URL API to construct query strings instead of mashing strings together. (You'll need a polyfill for old browsers).

var url = new URL(location.href);
url.pathname = "viewTrainingAttendees.php";
url.searchParams = new URLSearchParams();
url.searchParams.append("title", "DTI ORIENTATION: CONSUMER PROTECTION & LEMON LAW");
url.searchParams.append("tdate", "example example");
console.log(url.href);
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • I tried this one : $(".t_title").click(function(){ var title = $(this).data("title"); var training_date = $(this).data("tdate"); location.href = "viewTrainingAttendees.php?title=" + encodeURIComponent(title) + "&tdate="+ training_date; }); It works! But am I doing this right? – MDB Apr 26 '18 at 15:25
  • Thank you @Quentin – MDB Apr 26 '18 at 15:29
  • 1
    You should be encoding *all* the plain text strings, including `training_date`. – Quentin Apr 26 '18 at 15:30
  • I tried using your code, but how to go to viewTrainingAttendees.php? – MDB Apr 26 '18 at 15:40
  • Yay! Okay I got it now. Thanks a lot Sir. Thank you so much. – MDB Apr 26 '18 at 15:42