2

I select a list of names from mysqli database then display row details in display.php with if (isset($_GET['name'])); The link is 

$str = strtoupper($str);
echo "<tr><td><a href='php/display.php?name=$str'>$str</a></td></tr>";

This executes correctly unless name contains '(apostrophe).

For instance $str (as input/click) shows as L'ECLIPSE but the <a> link only L' The result in display.php is 'No data found for your request'

I have found exact same queries on this site but none of the answers have resolved my problem. Perhaps I am not implementing correctly. I assume this is about escaping. But I know little about it.

aynber
  • 22,380
  • 8
  • 50
  • 63
sampudine
  • 29
  • 2
  • 1
    The apostrophe is breaking the link because the href is surrounded with single quotes. You'll need to encode it or add slashes – aynber Oct 15 '19 at 17:00
  • I tried slashes and addslashes() but only found urlencode() (another answer here) to work for my code. – sampudine Oct 21 '19 at 19:02

2 Answers2

3
<?php

$str = strtoupper($str);
echo "<tr><td><a href='php/display.php?name=".urlencode($str)."'>$str</a></td></tr>";

urlencode() the string first. So you don't get this kind of problems.

fonini
  • 3,243
  • 5
  • 30
  • 53
-3

Try this code.

    <?php
    $str = strtoupper($str);
    echo "<tr><td><a href='php/display.php? 
    name=".htmlspecialchars($str)."'>$str</a></td></tr>";
    ?>

Your Single quote becomes &#039 ;
I hope it will help

Vibhore Jain
  • 174
  • 7
  • This doesn't work, try `$str = "Apos' heal";` for example. htmlspecialchars does not convert `'` single quote without mention the `ENT_QUOTES` flag. – user31782 Feb 17 '22 at 14:41