marileejean Posted April 2, 2012 Share Posted April 2, 2012 Hi all, I've created a search page on my website with pagination from the book. If a search is entered with an apostrophe, the first time the search page (and sticky form value) is loaded, it looks fine, but as you click on each of the page links, the apostrophe is escaped again, adding slashes into the form value and the url: Initial search of Mother's Day: http://aqualee.com/n...=Mother%27s+Day After clicking back & forth on the previous/next page links a couple times: http://aqualee.com/new/search.php?keyword=Mother\\\\\\\'s%20Day&s=6&p=2 My best guess is that it's applying htmlspecialchars (for the page title & form value) and/or mysqli_real_escape_string (for the keyword in the url) with each page load, but I can't figure out the logic in how to avoid that while keeping the data safe. This update to my site is my first foray into PHP or SQL, and I have as much experience in programming as a semester in C++ can give you. Here's the relevant code (I think!)... $show_keyword is set and used in the title and form value here // set page title if (isset($_GET['keyword'])) { $show_keyword = htmlspecialchars($_GET['keyword']); } $page_title = 'Search results for '.$show_keyword.' greeting cards by Aqua Lee'; include ('header.html'); // create text form to search with sticky value echo '<form action="search.php" method="GET"> <label>Search: <input type="text" name="keyword" size="20" maxlength="50" value="'.$show_keyword.'" /></label> <input type="submit" value="Search" /></form>'; $search_term is set & escaped here // validate and secure user entry if (!empty($_GET['keyword']) ) { $search_term = mysqli_real_escape_string($dbcon, trim($_GET['keyword']) ); } $search_term is used in the urls where extra slashes show # create pagination links // Make the links to other pages, if necessary. if ($pages > 1) { echo '<br /><p>'; $current_page = ($start/$display) + 1; // If it's not the first page, make a Previous button: if ($current_page != 1) { echo '<a href="search.php?keyword='.$search_term.'&s=' . ($start - $display) . '&p=' . $pages. /*. '&sort=' . $sort . */'">Previous</a> '; } // Make all the numbered pages: for ($i = 1; $i <= $pages; $i++) { if ($i != $current_page) { echo '<a href="search.php?keyword='.$search_term.'&s=' . (($display * ($i - 1))) . '&p=' . $pages./* . '&sort=' . $sort . */'">' . $i . '</a> '; } else { echo $i . ' '; } } // End of FOR loop. // If it's not the last page, make a Next button: if ($current_page != $pages) { echo '<a href="search.php?keyword='.$search_term.'&s=' . ($start + $display) . '&p=' . $pages./* . '&sort=' . $sort . */'">Next</a>'; } echo '</p>'; } Can you tell me where the redundancy is, if that's the problem? Do I even need to escape the form input if I'm just displaying it in the title or in the form? I read about some similar problems with apostrophe, and magic quotes were suggested to be the culprit...they are turned off in my php.ini file. Thanks for taking a look!! -Marilee Link to comment Share on other sites More sharing options...
Larry Posted April 2, 2012 Share Posted April 2, 2012 My first suspicion is Magic Quotes. You say they're turned off in your php.ini, but they could be enabled in a directory configuration file. Run a phpinfo() script in the directory to confirm this setting first. Link to comment Share on other sites More sharing options...
marileejean Posted April 2, 2012 Author Share Posted April 2, 2012 You are right! Thank you for the excellent & very quick response! I added stripslashes() to both places and now the pages are looking lovely. Link to comment Share on other sites More sharing options...
Larry Posted April 3, 2012 Share Posted April 3, 2012 Glad that solved it and thanks for letting us know. Link to comment Share on other sites More sharing options...
Recommended Posts