An Encoding Issue?

Question

Hello all,

I think I have a URL encoding issue. I need to open a window using Javascript and pass a SQL Select query to it. So I have done this:

window.open('view_query.php?sql_query=' + query + '&db_name=' + db_name);

This has worked for me, but I have a query that breaks this:

SELECT a FROM table WHERE field like '%adhoc%' 

Now when the new window opens and I print the query received from the URL GET variable it looks like this:

SELECT a FROM table WHERE field like '�hoc%' 

Notice the bit %ad has turned into an unrecognised character! Why?

I have tried solving this with URL encoding but since I need the % symbol I can't use many URL encoders since they will turn this into something else?!

Thanks all for any help.

Answer 1

Encode your query using http://pl.php.net/urlencode. Then decode it using http://pl.php.net/urldecode (if needed, PHP should do this for you automatically)

Answer 2

This is because of url encoding - you need to call
window.open('view_query.php?sql_query='+encodeURICompoent(query)+'&db_name...);
and then on php side $query = rawurldecode($_GET['sql_query']);

Answer 3

The % character is used to encode characters in an URL using a character code. The sequence %ad means the character with the hexadecimal character code 0xAD, or decimal 173.

Use the encodeURIComponent function to escape values for the URL:

window.open('view_query.php?sql_query=' + encodeURIComponent(query) + '&db_name=' + encodeURIComponent(db_name));

Just to make sure that you (and anyone reading this) are aware of it, let me also point out the risks of sending SQL code via the browser. Anyone using the system could send anything as a query, including for example drop table.