Jump to content

htmlspecialchars()


Go to solution Solved by rick.emmet,

Recommended Posts

Hi Everyone,
I have a (hopefully) quick question. When I send a single piece of data in the URL to the next webpage, I get the behavior I'm expecting. I need to send two pieces of data and can not get it to work. I have session_start() at the top of both pages and session.use_trans_sid in my php.ini is set to 0 for security reasons. The PHP manual says that I can use htmlspecialchars(SID), it says:
 

The following example demonstrates how to register a variable, and how to link correctly to another page using SID.

 

 

<?php

session_start();

if (empty($_SESSION['count'])) {
   $_SESSION['count'] = 1;
} else {
   $_SESSION['count']++;
}
?>

<p>
Hello visitor, you have seen this page <?php echo $_SESSION['count']; ?> times.
</p>

<p>
To continue, <a href="nextpage.php?<?php echo htmlspecialchars(SID); ?>">click
here</a>.
</p>

 

The htmlspecialchars() may be used when printing the SID in order to prevent XSS related attacks.

 


OK, good enough. I need to send the SID to the next page, and I need to send the instance_id too. What I have tried to use to do is this:
 

<a href="srch_detail_autos.php?instance_id=<?php echo $row_rsautos['instance_id']; ?>"?session_id="<?php echo htmlspecialchars(SID); ?>" ><?php echo stripslashes($row_rsautos['title']); ?></a>

<a href="srch_detail_autos.php?instance_id=<?php echo $row_rsautos['instance_id']; ?>"?session_id='<?php echo htmlspecialchars(SID); ?>' ><?php echo stripslashes($row_rsautos['title']); ?></a>


The difference being the use of double quotes in the first and single quotes in the second. The code looks OK in the editor, all the mark up colors look good. When I hover over the link, I can see the URL of the target page and the instance_id, but nothing beyond that. I looks as if the browser is not reading the subsequent data (SID) I'm attempting to place in the URL. I also tried the following:
 

<a href="srch_detail_autos.php?instance_id=<?php echo $row_rsautos['instance_id']; ?>?session_id=<?php echo htmlspecialchars(SID); ?>" ><?php echo stripslashes($row_rsautos['title']); ?></a>



And when I hover over the link, I can see the instance_id and “session_id=” but no SID. The browser is not reading the PHP echo statement.

I also tried numerous other versions of this, but they looked completely wrong in the editor and /or throw errors. I seem to recall that there is a special character for this (to add more pieces of data to the URL), but everything I have plugged in to the code fails. Is there a simple way of writing more than one piece of data to the URL? Thanks very much for your time, I really appreciate it!
Cheers,
Rick

Link to comment
https://forums.phpfreaks.com/topic/280377-htmlspecialchars/
Share on other sites

I think the problem is the way you are specifying the separator between the two variables:

 

http://www.domain.com?Variable=value
http://www.domain.com?Variable=value&Another=somethingElse
To introduce the first parameter, you use the question-mark ("?")

 

To introduce the second (and subsequent) parameter, you use an ampersand ("&")

Link to comment
https://forums.phpfreaks.com/topic/280377-htmlspecialchars/#findComment-1441606
Share on other sites

  • Solution

Hello Strider and David,

Thank you both so much for your time, there were just a couple of things I wasn't getting. I used the question mark for subsequent parameters (for some reason I thought it was some combination of "&" plus "%") and that worked well. Also, I couldn't use session_name() = session_id() becuse the name will be the same for every user. I did a little experimenting and came up with this:

<a href="srch_detail_autos.php?instance_id=<?php echo $row_rsautos['instance_id']; ?>&column=<?php echo $_SESSION['column']; ?>&key_word=<?php echo $_SESSION['key_word']; ?>&session_id=<?php echo session_id(); ?>" >

I was able to see the parameters in the URL, so that was a good sign. But I was still failing to get a result on the second page for two lines of code "echo $_SESSION['column'];" and "echo $_SESSION['key_word'];". So I just use $_GET,  and it worked like a champ. Thanks again for your help!!

cheers,

Rick

Link to comment
https://forums.phpfreaks.com/topic/280377-htmlspecialchars/#findComment-1441614
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.