Query doesn't work with amp inside URL

Question

Let me explain this as best as I can.

I have PHP file named funcs.php in which is exactly this PHP code:

$q = $_GET["q"];

$sql = "SELECT * FROM bl_zrify WHERE Name = '".$q."'";

$result = mysql_query($sql);
while($row = mysql_fetch_array($result))
  {

  if ($row['State'] == '') {
    $SchoolState = 'Unknown';
  }
  else if ($row['State'] == 'AL') {
    $SchoolState = 'Alabama';
  } 
  else if ($row['State'] == 'AK') {
    $SchoolState = 'Alaska';
  } 
  else if ($row['State'] == 'AZ') {
    $SchoolState = 'Arizona';
  }
  else if ($row['State'] == 'AR') {
    $SchoolState = 'Arkansas';
  }

  print 'This school is in';
  print $SchoolState;
  }

When I call in my browser:

url example => http://www.domain.com/funcs.php?q=ABRAHAM BALDWIN AGRICULTURAL COLLEGE

It normally works and returns => This school is in Alabama

But when when i call in my browser any URL which have & (&) inside, won't work at all:

url example => http://www.domain.com/funcs.php?q=BRYANT & STRATTON BUSINESS INSTITUTE - BUFFALO

I don't know why, but for some reasson I get no results when there is amp (&) in URL, please HELP!

It's a VERY bad practice to use the passed parameter as is in your query. You should at least escape it. — Aleks G, Oct 15 '11 at 00:26
Go the the form and enter the following school name: `Foo'); DROP TABLE bl_zrify; --` Then read http://bobby-tables.com/ — Paul Tomblin, Oct 15 '11 at 00:30

score 3 · Accepted Answer · edited May 23 '17 at 09:59

3

funcs.php?q=BRYANT & STRATTON BUSINESS INSTITUTE - BUFFALO

You are passing two variables. Do a var_dump($_GET); and you will see.

You probably meant:

funcs.php?q=BRYANT+%26+STRATTON+BUSINESS+INSTITUTE+-+BUFFALO

To pass values for parameters in URLs, they need the proper encoding. Also called url-encoding. & is a special character that needs to be written as %26, space is a special character as well, can be written as + or %2b. Also called percent- or triplet-encoding.

A function in PHP that does this is: urlencode^Docs.

In any case you need to properly encode as well the search term for the SQL query, otherwise you allow others to alter the SQL query and do stuff like searching more than you want and even delete your database. That's a more serious issue than losing half a variable's value.

See: Best way to stop SQL Injection in PHP

edited May 23 '17 at 09:59

Community

1
1

answered Oct 15 '11 at 00:29

hakre

193,403
52
435
836

OK, I've modified code so that: `funcs.php?q=BRYANT+%26+STRATTON+BUSINESS+INSTITUTE+-+BUFFALO` But that still doesnt' return anything, while: `funcs.php?q=BRAHAM+BALDWIN+AGRICULTURAL+COLLEGE` returns results normally! – ProDraz Oct 15 '11 at 01:25
Check your database query. It probably only matches an empty recordset. Looks why it is wrong. Doing a proper HTTP query must not mean that the database query is proper as well. – hakre Oct 18 '11 at 18:43

score 1 · Answer 2 · answered Oct 15 '11 at 00:28

1

'&' separates URL parameters. Your second query has a parameter q that's equal to "BRYANT " and a parameter STRATTON BUSINESS… that has no value.

answered Oct 15 '11 at 00:28

millimoose

39,073
9
82
134

Query doesn't work with amp inside URL

2 Answers2