0

This question has not been asked before. That link above is no help.

When trying to pass TXTurl variable in URL everything after the hashtag does not pass as the variable because it is a fragment. I was doing some reading, and it the variable does pass as %23. I have been trying to change the # to a %23 before it goes into the database.

I have tried urldecode() urlencode() - I have tried the below myUrlEncode function I found.

function myUrlEncode($TXTurl) {
    $entities = array('%21', '%2A', '%27', '%28', '%29', '%3B', '%3A', '%40', '%26', '%3D', '%2B', '%24', '%2C', '%2F', '%3F', '%25', '%23', '%5B', '%5D');
    $replacements = array('!', '*', "'", "(", ")", ";", ":", "@", "&", "=", "+", "$", ",", "/", "?", "%", "#", "[", "]");
    return str_replace($entities, $replacements, urlencode($TXTurl));
}


try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    // prepare sql and bind parameters
    $stmt = $conn->prepare("INSERT IGNORE INTO MyFAQlist (TXTurl, TXTlinkname) 
    VALUES (:TXTurl, :TXTlinkname)");
    $stmt->bindParam(':TXTurl', $TXTurl);
    $stmt->bindParam(':TXTlinkname', $TXTlinkname);
    myUrlEncode($TXTurl); 

    // insert a row 
    $TXTurl = "$TXTurl";
    // insert a row
    $TXTlinkname = "$TXTlinkname";
    $stmt->execute();

I want to replace # with %23 when inserting TXTurl into database.

Also Tried to use rawurlencode. ddint' work

$stmt = $conn->prepare("INSERT IGNORE INTO MyFAQlist (TXTurl, TXTlinkname) 
VALUES (:TXTurl, :TXTlinkname)");
$stmt->bindParam(':TXTurl', $TXTurl);
$stmt->bindParam(':TXTlinkname', $TXTlinkname);
$TXTurl = rawurlencode($TXTurl);
J D
  • 51
  • 7
  • 3
    What do you mean 'and have security'? This shouldn't be necessary for storing a url, especially when you use bind variables, like you do. – GolezTrol Jul 23 '19 at 21:55
  • 1
    `rawurlencode()` is what you're looking for (https://www.php.net/manual/en/function.rawurlencode.php) – WOUNDEDStevenJones Jul 23 '19 at 21:56
  • I mean I want to avoid injections.... – J D Jul 23 '19 at 23:19
  • @JD Then you should properly prevent injections, using parameterized queries. There is **no risk** of SQL injections if you properly use parameterized queries. – ceejayoz Jul 24 '19 at 01:09

1 Answers1

0

You could encode them using rawurlencode:

$url = 'http://my-url.com/with-a-hash#';
echo rawurlencode($url); // http%3A%2F%2Fmy-url.com%2Fwith-a-hash%23

PHP Documentation: https://www.php.net/manual/en/function.rawurlencode.php

atymic
  • 3,093
  • 1
  • 13
  • 26
  • I have several inserts. Do I input like so? try { $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password); // set the PDO error mode to exception $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); // prepare sql and bind parameters $stmt = $conn->prepare("INSERT IGNORE INTO MyFAQlist (TXTurl, TXTlinkname) VALUES (:TXTurl, :TXTlinkname)"); $stmt->bindParam(':TXTurl', $TXTurl); $stmt->bindParam(':TXTlinkname', $TXTlinkname); $TXTurl = rawurlencode($TXTurl); – J D Jul 23 '19 at 23:47