How can I replace spaces in URL with a underline(_)?
$query = mysql_query("SELECT * FROM users WHERE username = '$_GET[user]'");
But if a user has a space in her/his username I wanna replace the space with an underline. So the URL for profile.php?user=John Johnson would be profile.php?user=John_Johnson.
How can I do this?
Thanks!
You could just replace it in the actual variable using str_replace or strtr. Strtr is usually shown to be faster.
$newUsername = strtr($_GET['user'], ' ', '_');
Should do it, and your new query:
$query = mysql_query("SELECT * FROM users WHERE username = '$newUsername'");
Use str_replace() like this:
$query = mysql_query("SELECT * FROM users WHERE username = 'str_replace(' ', '_',$_GET[user])'");
As mentioned elsewhere, str_replace will do what you are specifically looking for, but...
I'd be more worried about profile.php?user=John' DROP DATABASE--
Don't build queries like this. EVER. See SQL Injection for one reason why. Take a look at this article for the right way to do it.
Oh, and a comic to use as a memory aid to reinforce that you should NEVER do this.
EDIT: In response to your response (you're better off editing your original question so that it's obvious that you are clarifying your question). If you have the user 'John Johnson' stored in the database, but you want to access him with the URL profile.php?user=John_Johnson, you need to reverse the replacement you are doing:
$user = str_replace('_', ' ', $_GET['user']);
$user = mysql_escape_string($user);
$query = mysql_query("SELECT * FROM users WHERE username = '$user'");
// finns inte användaren så skriver vi ut ett felmeddelande
if (!mysql_num_rows($query)) exit('<p>The user you are looking for appears to be missing.</p>');
This will take profile.php?user=John_Johnson and produce the sql query: SELECT * FROM users WHERE username = 'John Johnson'
The sample code you replied with would take profile.php?user=John Johnson and produce the sql query: SELECT * FROM users WHERE username = 'John_Johnson' which I suspect is the opposite of what you want.
But again, I'd strongly recommend looking into prepared statements. mysql_escape_string is really a stop-gap measure. All it takes is forgetting to use it once and you've opened up your site to hacking.
The str_replace function is what you are looking for. (There are some other alternatives but str_replace is enough for this case)
$query = mysql_query("SELECT * FROM users WHERE username = '" . str_replace(' ', '_', $_GET[user] . "'");
WARNING: You should seriously read something about SQL injection. Here is some introduction:
You might want to look at preg_replace() and replace all " " with "_" like so:
$result = preg_replace("\s", "_", $_GET['user']);
But you should not be putting user input directly into a query like that. Look into PHP input sensitization.
EDIT: Sorry forgot that regex requires \s to mean a space.
Don't create SQL strings from unchecked user input.
At least use mysql_escape_string() to avoid being hacked on fist sight:
$user = str_replace(' ', '_', $_GET[user]);
$user = mysql_escape_string($user);
$query = mysql_query("SELECT * FROM users WHERE username = '$user'");
weird none of your codes seem to work... i have a user called John Johnson in the database. It works with the ones without space.
The code:
$user = str_replace(' ', '_', $_GET['user']);
$user = mysql_escape_string($user);
$query = mysql_query("SELECT * FROM users WHERE username = '$user'");
// finns inte användaren så skriver vi ut ett felmeddelande
if (!mysql_num_rows($query)) exit('<p>The user you are looking for appears to be missing.</p>');
Since you do not need regular expressions to do this replacement, you should avoid them since they have significant overhead.
Furthermore, since you're only after characters and not strings, you should go for the function written for character-to-character mapping: strtr()
$result = strtr($original, " ", "_");
Biff,
Try this:
$user = urldecode($_GET['user']); //$user now contains 'John Smith' instead of 'John%20Smith', which I assume is why the query was failing
$user = mysql_escape_string($user);
$query = mysql_query("SELECT * FROM users WHERE username = $user");
Your problem seems to be with URL Encoded characters preventing a match. Hope that helps.