php - "amp;" Precedes $_GET array element (parameter) name -
the below link issue-although ".amp;" (i seeing link not appearing pasted when view question before posting. i'm looking $_get variable name, remove amp; parameter name)
index.php?searchresults&searchstring=aliquippa&allwords=off
the $_get elements named amp; preceding name expect. example, $_get[amp;allwords'] how variables named. expect $_get['allwords'] format.
all links on 'site' built , returned standard class function applies htmlspecialchars final return value. each link constructed class function specific required task , returned through calling standard function. while links returned through same standard function, have 1 link misbehaving.
this link first time i've tried taking user input , passing (redirecting?) through $_get parm. it's &'s being doubled up. code not adding second ampersand.
as solution, found , tried htmlspecialchars_decode() against post variables. made no difference name assigned $_get parm. other decoding encoded , going through logic, i'm @ loss understanding. code building link in error looks same code building links work fine. links returned through standard function, applies htmlspecialchars. think links either work or not work, not mixture.
below code being used redirect when $_get array contains parm named 'search' - code suspect of injecting double &'s. have added writing log file in function , "double &'s" present in return value link::tosearchresults.
if (isset($_get['search'])) { $this->msearchstring = $_post['search_string']; $this->mallwords = isset($_post['all_words']) ? $_post['all_words'] : 'off'; ob_clean(); header('http/1.1 302 found'); header('location: ' . link::tosearchresults($this->msearchstring, $this->mallwords)); flush(); ob_flush(); ob_end_clean(); exit; }
following tosearchresults function code:
$link = 'index.php?searchresults'; if (empty($searchstring)) $link .= '/'; else $link .= '&searchstring=' . $searchstring; $link .= '&allwords=' . $allwords; return self::build($link);
following return standard class function build(). links passed through function before returning caller.
return htmlspecialchars($link, ent_quotes);
the problem occurs when pass values containing '&' through build
method, escaping html special characters html entities. resulting link of form:
index.php?searchresults&searchstring=aliquippa&allwords=off
php's url parser not expect encounter html entities, because should not present in urls; therefore correctly splits query string on &
, treating trailing amp;
part of key. solve problem, not pass urls through htmlspecialchars()
.
Comments
Post a Comment