Problem passing strings with PHP post

Question

Hi Guys,

Basically I'm developing a (very) simple search engine. You can enter a search term and you are taken to the results page - which works fine. However on the results page, I have a button that will take you to the next 10 results: where $term is the $_POST['term'] value.

echo "<input type='hidden' name='term' value='" . $term . "'>";

This causes the following problem with the term is for example "aidan's".

When the next 10 button is clicked, the term becomes aidan\ and no further results are found.

I am not doing anything to $term.

I usually use Java, but am required to use PHP for this uni assignment!

Any help would be greatly appreciated.

Answer 1

Try looking after addslashes() et stripslashes() http://php.net/manual/en/function.addslashes.php

Regarding your issue, I think you should try to add something like this :

$search = stripslashes($_POST['term']);

Answer 2

It could be your PHP that escapes your data, check out http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc and / or http://php.net/manual/en/function.addslashes.php these should help you to identify the porblem

Answer 3

If you use double quotes, you don't have to break your string when using a variable. You can also use various options, such as those mentioned already or htmlentities() or urlencode(). I would use the later, just cuz. So you would end up with:

$term = urlencode($term);
echo "<input type='hidden' name='term' value=\"$term\">";

Answer 4

You need to htmlspecialchars() every single bit of data you output to your page. A set-up like yours is the reason that so many XSS vulnerabilities exist around the world, and you should not contribute to them.

echo "<input type='hidden' name='term' value='" . htmlspecialchars($term) . "'>";

Once you have that, you will need no obscure addslashes/quote escaping/whatever anymore.

To make that easier throughout your code, define

function h($s) {  htmlspecialchars($s); }

echo "<input type='hidden' name='term' value='" . h($term) . "'>";

Answer 5

I think the easiest way is not to put $term as a hidden field at all. For pagination, you can keep memory of the searched term in the session.

Answer 6

The function you are looking for is htmlspecialchars(). However to make it work, you must use quotation marks to wrap the parameter.

Plus, if there are slashes involved, the stripslashes() function may be needed.

So:

$term = htmlspecialchars( stripslashes( $term ) );

echo '<input type="text" name="term" value="' . $term . '" >';

Answer 7

1. Always use GET method for the search, not POST.
2. Either turn magic quotes off or strip slashes manually
3. Use htmllspecialchars with ENT_QUOTES parameter to encode form's field value.
4. Consider to print out HTML as is, not using PHP echo, to get rid of all this quotes craze
5. Most important part. If you quote your term for the database search, don't use quoted variable in your form.

so

if (isset($_GET['term'])) {
  if (get_magic_quotes_gpc()) $_GET['term'] = stripslashes($_GET['term']);
  //$term=mysql_real_escape_string($_GET['term']);
  //perform search here. 
  //
  $term = htmlspecialchars($_GET['term'],ENT_QUOTES); //from $_GET again
  ?>
  <input type="hidden" name="term" value="<?php echo $term?>">
  <?
}