View Full Version : urlencode()/urldecode()

09-14-2005, 08:02 PM

I have a question regarding the urlencode/decode functions.

I have a page that allows users to submit a text block. I am encoding this before instering into the database. Then, when displaying back onto the page, i am decoding.

The problem I am having specifically (although I'm sure it will affect other characters) is with the ' character. If I add "don't", when decoding out, it reads "don\'t".

Is there a built-in funciton to correct these (or an alternative to urlencode/decode) or do I need to create my own clean-up function?


09-15-2005, 12:11 AM
i don't realy see what escaping the quote has to do with urlencode() ...

i think you're looking for addslashes(), stripslashes() and possibly mysql_real_escape_string(). you migt also wanna check out get_magic_quotes_gpc()
Take a look at example 3 at http://uk.php.net/manual/en/function.mysql-real-escape-string.php

you can find more info on the other functions by following the 'see also' links on that page.

09-15-2005, 12:12 AM
Predefined function: stripslashes()

09-21-2005, 11:09 PM
The stripslashes() works great thanks.

I'm also using the mysql_real_escape_string() for all my database calls now - is this sufficient to prevent against sql injections or do you guys recommend further measures?


09-22-2005, 01:56 AM
i wouldn't rely only on escaping the 'bad' characters.

the general rule is that you check all input from the user as soon a possible. Doesn't realy matter if you are gonna use it in a query or not...
so all data the user posts and all querystring and cookievalues should be tested on their valueformat (if you expect a numerical value, then check if it is indeed a numerical, if you expect a text of maximum 10 characters, then check that it isn't longer, if you expect a value from a limited list of option, then check if the received value is part of that list etc).

also: limit the risk of having your mysql-accountdata exposed by for instance storing your connectioncode in a page that is stored above the webroot. you then include this page when you need to open a connection.
and limit the possible consequences of an sql-injection by only giving the mysql-account that you use for PHP the strict minimum of permissions that it needs.