2

How can I replace spaces in URL with a underline(_)?

$query = mysql_query("SELECT * FROM users WHERE username = '$_GET[user]'");

But if a user has a space in her/his username I wanna replace the space with an underline. So the URL for profile.php?user=John Johnson would be profile.php?user=John_Johnson.

How can I do this?

Thanks!

11 Answers11

13

As mentioned elsewhere, str_replace will do what you are specifically looking for, but...

I'd be more worried about profile.php?user=John' DROP DATABASE--

Don't build queries like this. EVER. See SQL Injection for one reason why. Take a look at this article for the right way to do it.

Oh, and a comic to use as a memory aid to reinforce that you should NEVER do this.

EDIT: In response to your response (you're better off editing your original question so that it's obvious that you are clarifying your question). If you have the user 'John Johnson' stored in the database, but you want to access him with the URL profile.php?user=John_Johnson, you need to reverse the replacement you are doing:

 $user  = str_replace('_', ' ', $_GET['user']);
 $user  = mysql_escape_string($user);
 $query = mysql_query("SELECT * FROM users WHERE username = '$user'");

 // finns inte användaren så skriver vi ut ett felmeddelande
 if (!mysql_num_rows($query)) exit('<p>The user you are looking for appears to be          missing.</p>');

This will take profile.php?user=John_Johnson and produce the sql query: SELECT * FROM users WHERE username = 'John Johnson'

The sample code you replied with would take profile.php?user=John Johnson and produce the sql query: SELECT * FROM users WHERE username = 'John_Johnson' which I suspect is the opposite of what you want.

But again, I'd strongly recommend looking into prepared statements. mysql_escape_string is really a stop-gap measure. All it takes is forgetting to use it once and you've opened up your site to hacking.

Community
  • 1
  • 1
Eclipse
  • 44,851
  • 20
  • 112
  • 171
3

Don't create SQL strings from unchecked user input.

At least use mysql_escape_string() to avoid being hacked on fist sight:

$user  = str_replace(' ', '_', $_GET[user]);
$user  = mysql_escape_string($user);
$query = mysql_query("SELECT * FROM users WHERE username = '$user'");
Community
  • 1
  • 1
Tomalak
  • 332,285
  • 67
  • 532
  • 628
3

Since you do not need regular expressions to do this replacement, you should avoid them since they have significant overhead.

Furthermore, since you're only after characters and not strings, you should go for the function written for character-to-character mapping: strtr()

$result = strtr($original, " ", "_");
Jeremy L
  • 7,686
  • 4
  • 29
  • 36
2

str_replace?

Chuck
  • 234,037
  • 30
  • 302
  • 389
2

Use str_replace() like this:

$query = mysql_query("SELECT * FROM users WHERE username = 'str_replace(' ', '_',$_GET[user])'");
Jonas K
  • 4,215
  • 2
  • 24
  • 25
1

You could just replace it in the actual variable using str_replace or strtr. Strtr is usually shown to be faster.

$newUsername = strtr($_GET['user'], ' ', '_');

Should do it, and your new query:

$query = mysql_query("SELECT * FROM users WHERE username = '$newUsername'");
Logan Serman
  • 29,447
  • 27
  • 102
  • 141
1

Biff,

Try this:

$user = urldecode($_GET['user']);

$user now contains 'John Smith' instead of 'John%20Smith', which I assume is why the query was failing.

$user = mysql_escape_string($user);
$query = mysql_query("SELECT * FROM users WHERE username = $user");

Your problem seems to be with URL Encoded characters preventing a match. Hope that helps.

gmadd
  • 1,146
  • 9
  • 18
karim79
  • 339,989
  • 67
  • 413
  • 406
0
$path = "your website and the path here"; // like http://stackoverflow.com/index.php?id=1
$page = $_SERVER["QUERY_STRING"];
if(stristr($page, ' ')) {
    $page = str_replace(" ","_" , $page);
    $page = str_replace("%20%","_" , $page);
    $page = str_replace("%20","_" , $page);
    $page = str_replace("q=","" , $page);
    echo "<meta http-equiv=\"refresh\" content=\"0; url=$path/$page\" />";
    die();
}

If you got the page like website.com/index.phphdsdhdh you should remove this line 

$page = str_replace("q=","" , $page);

if you want to stop sql injection you can use

addslashes();

or use this function

$page = strtolower($_SERVER["QUERY_STRING"]); if(stristr($page, 'union' or stristr($page, 'and' or stristr($page, 'or' or stristr($page, 'select'){ die("sql injection attack");}

put it in config

Samarlover
  • 21
  • 2
  • welcome to SO! When posting code, make sure to format it by selecting the text and hitting the curly braces button `{}` – JohnP Apr 21 '11 at 11:04
0

The str_replace function is what you are looking for. (There are some other alternatives but str_replace is enough for this case)

$query = mysql_query("SELECT * FROM users WHERE username = '" . str_replace(' ', '_', $_GET[user] . "'");

WARNING: You should seriously read something about SQL injection. Here is some introduction:

http://sk.php.net/security.database.sql-injection

lacop
  • 2,024
  • 4
  • 22
  • 36
0

You might want to look at preg_replace() and replace all " " with "_" like so:

$result = preg_replace("\s", "_", $_GET['user']);

But you should not be putting user input directly into a query like that. Look into PHP input sensitization.

EDIT: Sorry forgot that regex requires \s to mean a space.

Mykroft
  • 13,077
  • 13
  • 44
  • 72
0

weird none of your codes seem to work... i have a user called John Johnson in the database. It works with the ones without space.

The code:

     $user  = str_replace(' ', '_', $_GET['user']);
     $user  = mysql_escape_string($user);
     $query = mysql_query("SELECT * FROM users WHERE username = '$user'");

     // finns inte användaren så skriver vi ut ett felmeddelande
     if (!mysql_num_rows($query)) exit('<p>The user you are looking for appears to be          missing.</p>');