shanetastic Posted May 16, 2012 Share Posted May 16, 2012 $Rep = htmlspecialchars($_GET["Rep"]); echo $Rep; The above will print "John Doe & Assoc." (without the quotes) $result = mysql_query("SELECT RepName FROM Reps WHERE Repname = '".$Rep."'"); $repcount = mysql_num_rows($result); echo $repcount; The above code prints "0" If I delete the first block of code and replace it with $Rep = "John Doe & Assoc." The second block of code will then return a "1" as it should. Why is one returning a 0 and one returning a 1 when the text in $Rep appears to be identical in both cases? This problem only appears to be occurring when the $Rep value contains an &. Quote Link to comment Share on other sites More sharing options...
smoseley Posted May 16, 2012 Share Posted May 16, 2012 htmlspecialchars is replacing "&" with "&" You should only use that function for rendering html Quote Link to comment Share on other sites More sharing options...
Psycho Posted May 16, 2012 Share Posted May 16, 2012 htmlspecialchars is replacing "&" with "&" As smoseley states htmlspecialchars() is escaping the input to make it safe for HTML output. It will modify the value if certain characters are in it. You need to make a decision if you will run values through htmlspecialchars() before storing them or not. Then you need to do the same thing with values before using them for comparison. You could run values through htmlspecialchars() before storing them and then you can just echo them to the page. However, I would advise against this. I prefer to store values in their "native" state - i.e. no escaqping/sanitizing. If you escape the values for a specific purpose (in this case HTML output) you cannot effectively reverse the process if you need the data for a different output. So, it seems you are doing just that - storing the value without any escaping. So, you need to not escape values if you are going to use them for comparisons in queries. Just make sure you use the appropriate escape functions when outputting the values. But, what you SHOULD be doing is running the value through mysql_real_escape_string() to prevent SQL Injection. Also, it is not common to have a query looking for an exact comparison to a string like this. Typically, you will see LIKE comparisons. So, if the user entered "john" or "doe", it would find the same record. That would be implemented like this $Rep = mysql_real_escape_string($_GET['Rep']); $query = "SELECT RepName FROM Reps WHERE Repname LIKE '%$Rep}%'"; $result = mysql_query($query) or die("Query: $query<br>" . mysql_error()); I would also advise against building your query inside the mysql_query() function. Instead, build the query as a string variable that you can echo to the page when there are errors. It makes debugging much simpler. Quote Link to comment Share on other sites More sharing options...
smoseley Posted May 16, 2012 Share Posted May 16, 2012 I'm with psycho... only escape when rendering output. Good rule of thumb = unescape in, escape out. If you do that everywhere, you'll prevent a lot of headaches. Quote Link to comment Share on other sites More sharing options...
shanetastic Posted May 16, 2012 Author Share Posted May 16, 2012 Thanks! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.