views:

235

answers:

2

I have a simple form that generates a new photo gallery, sending the title and a description to MySQL and redirecting the user to a page where they can upload photos.

Everything worked fine until the ampersand entered the equation. The information is sent from a jQuery modal dialog to a PHP page which then submits the entry to the database. After Ajax completes successfully, the user is sent to the upload page with a GET URL to tell the page what album it is uploading to --

$.ajax ({
    type: "POST",
    url: "../../includes/forms/add_gallery.php",
    data: $("#addGallery form").serialize(),
    success: function() {
        $("#addGallery").dialog('close');
        window.location.href = 'display_album.php?album=' + title;
    }
});

If the title has an ampersand, the Title field on the upload page does not display properly. Is there a way to escape ampersand for GET?

Thanks

+6  A: 

In general you'll want to URL-encode anything that isn't completely alphanumerical when you pass them as parts of your URLs.

In URL-encoding, & is replaced with %26 (because 0x26 = 38 = the ASCII code of &).

To do this in Javascript, you can use the function encodeURIComponent:

$.ajax ({
    type: "POST",
    url: "../../includes/forms/add_gallery.php",
    data: $("#addGallery form").serialize(),
    success: function() {
        $("#addGallery").dialog('close');
        window.location.href = 'display_album.php?album=' + encodeURIComponent(title);
    }
});

Note that escape has the disadvantage that + is not encoded, and will be decoded serverside as a space, and thus should be avoided (source).

If you wish to do this serverside at the PHP level, you'll need to use the function urlencode.

Sebastian P.
I believe "title" is being appended to the URL in javascript, from user input -- there's no opportunity to use PHP's urlencode() in this context. Ignacio's got it right -- the encoding needs to be done in javascript, in the OP's case. In other contexts, urlencode() would be the right function to use, though.
Frank Farmer
The answer has been updated to reflect this. :)
Sebastian P.
Thanks! Worked beautifully. This is why we test and test our pages :)
NightMICU
+1  A: 
window.location.href = 'display_album.php?album=' + encodeURIComponent(title);

The javascript escape function will not encode these characters: * @ - _ + . /. So if you have title like "this+that", the plus sign will be interpreted as a space and PHP will receive the variable as "this that".

Using the encodeURIComponent will also encode the following characters: , / ? : @ & = + $ #

Amry