Doea a & character interfere with PHP

[bullbreed]

Hi everyone

I have a bit if an issue with some PHP i;ve been playing with.

The following code is working fine to delete data from the database

if (isset($_GET['p'])){
           $namecheck = mysql_query("SELECT `name` FROM `store` WHERE `name` = '".$_GET["p"]." '");
          $count = mysql_num_rows($namecheck);
       
           if ($count !== 0){
                if ($_GET['sure'] === '1'){
                        mysql_query("DELETE FROM `store` WHERE `name` = '".$_GET["p"]."' LIMIT 1");
                }else{
                   echo '<font size="2" color="#ff0000">Are you sure you want to delete this retailer? <a href="deleteretailer.php?p='.$_GET['p'].'&sure=1">Yes</a> or <a href="deleteretailer.php">No</a></font>';
               }
           }
      } 

However if the name contains a & character such as A & B Engineering the echo message doesn't show and I can't delete the data from the database. Is the & character causing an issue as it only seems to affect those names containing it.

 

Thanks

 

B

[akphidelt2007]

The "&" is a separator for GET values. So you have to use urlencode when creating the url string. The other thing you should do is clean the GET value before you submit it to the database. Just type in Google "PHP How to prevent SQL Injections". You willl see a million sites detailing how to make data safe for inserting in to your database.

[kicken]

You need to run values though urlencode before you stick them into the URL in your link.