Jump to content
Larry Ullman's Book Forums

Recommended Posts

Hi all,


I've created a search page on my website with pagination from the book. If a search is entered with an apostrophe, the first time the search page (and sticky form value) is loaded, it looks fine, but as you click on each of the page links, the apostrophe is escaped again, adding slashes into the form value and the url:


Initial search of Mother's Day:



After clicking back & forth on the previous/next page links a couple times:



My best guess is that it's applying htmlspecialchars (for the page title & form value) and/or mysqli_real_escape_string (for the keyword in the url) with each page load, but I can't figure out the logic in how to avoid that while keeping the data safe. This update to my site is my first foray into PHP or SQL, and I have as much experience in programming as a semester in C++ can give you. :unsure: Here's the relevant code (I think!)...


$show_keyword is set and used in the title and form value here

// set page title
if (isset($_GET['keyword']))
$show_keyword = htmlspecialchars($_GET['keyword']);
$page_title = 'Search results for '.$show_keyword.' greeting cards by Aqua Lee';
include ('header.html');
// create text form to search with sticky value
echo '<form action="search.php" method="GET">
<input type="text" name="keyword" size="20" maxlength="50" value="'.$show_keyword.'" /></label>
<input type="submit" value="Search" /></form>';


$search_term is set & escaped here

// validate and secure user entry
if (!empty($_GET['keyword']) )
 $search_term = mysqli_real_escape_string($dbcon, trim($_GET['keyword']) );


$search_term is used in the urls where extra slashes show

 # create pagination links

 // Make the links to other pages, if necessary.
 if ($pages > 1) {

  echo '<br /><p>';
  $current_page = ($start/$display) + 1;

  // If it's not the first page, make a Previous button:
  if ($current_page != 1) {
echo '<a href="search.php?keyword='.$search_term.'&s=' . ($start - $display) . '&p=' . $pages. /*. '&sort=' . $sort . */'">Previous</a> ';

  // Make all the numbered pages:
  for ($i = 1; $i <= $pages; $i++) {
if ($i != $current_page) {
 echo '<a href="search.php?keyword='.$search_term.'&s=' . (($display * ($i - 1))) . '&p=' . $pages./* . '&sort=' . $sort . */'">' . $i . '</a> ';
} else {
 echo $i . ' ';
  } // End of FOR loop.

  // If it's not the last page, make a Next button:
  if ($current_page != $pages) {
echo '<a href="search.php?keyword='.$search_term.'&s=' . ($start + $display) . '&p=' . $pages./* . '&sort=' . $sort . */'">Next</a>';

  echo '</p>';



Can you tell me where the redundancy is, if that's the problem? Do I even need to escape the form input if I'm just displaying it in the title or in the form? I read about some similar problems with apostrophe, and magic quotes were suggested to be the culprit...they are turned off in my php.ini file. Thanks for taking a look!!


Link to comment
Share on other sites

My first suspicion is Magic Quotes. You say they're turned off in your php.ini, but they could be enabled in a directory configuration file. Run a phpinfo() script in the directory to confirm this setting first.

Link to comment
Share on other sites


  • Create New...