0

I have a URL that looks like:

example.com/profile.php?id=1

I want to dynamically generate the URL by taking username from the form input in the database's id field. Like :

example.com/profile.php?id=username

This link give errors.If I use below link than it works

example.com/profile.php?id="username"

But , I am facing problem in anchor tag.My Code :

     <a href="contributor-profile.php?id=<?PHP echo "$data['id']";?>">
           <h4 class="contributor-name">
                  <?PHP echo $data ['name'];?>
             </h4>
     </a>

I have also used urlencode fuction but it is not working.

<a href="profile.php?id=<?PHP echo urlencode($data['id']);?>">
   <h4>
          <?PHP echo $data ['name'];?>
     </h4>
   </a>
  • 2
    _"This link give errors."_ It shouldn't, that's a perfectly valid link. I'll wager that you're building a subsequent SQL query with string concatenation and it isn't quoted (like `SELECT * FROM users WHERE id = $id`) so it only works when you explicitly pass it quotes. – Alex Howansky Feb 14 '19 at 17:47
  • 2
    This further implies that you are vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection). Instead of building queries with string concatenation, use [**prepared statements**](https://secure.php.net/manual/en/pdo.prepare.php) with [**bound parameters**](https://secure.php.net/manual/en/pdostatement.bindparam.php). See [**this page**](https://phptherightway.com/#databases) and [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) for some good examples. – Alex Howansky Feb 14 '19 at 17:48
  • If you want to pass the quotes in the URL, put it on the outside of the php brackets, not inside. The ones inside just tells the echo that it's a parseable string. However, I agree with Alex that your error is not due to the URL. – aynber Feb 14 '19 at 18:10

0 Answers0