Re: Urlencode vs htmlentities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Dec 06, 2005 at 12:05:10PM -0800, Mark Steudel wrote:
> Lets say I have the following:

Before I go further:

  htmlentities - escapes the output for html
  urlencode    - escapes the output for a url

>  
> Current URL: http://www.domain.com/page.php?action=list
> <http://www.domain.com/page.php?action=list&top=/page.php?action=list&id=3>
> &top=/page.php?action=list&id=3
>  
> $top = $_SERVER['PHP_SELF'].'?'.$_SERVER['argv']['0']

- Be careful when using PHP_SELF, probably not a factor here but
  consider if someone requested /page.php/foobar?action....
  PHP_SELF will be 'page.php/foobar

- $_REQUEST['argv']... well there isn't any such requested
  variabled. 

>  
> Now I want to create a URL with a return link in it
>  
> <a href="'.$_SERVER['PHP_SELF'].'?action=add&amp;return='.$top.'"> Add
> Something </a>
>  
> Should I use htmlentites on $top first?

no.. your are defining a url paremeter, so you should escape for a url

>  
> Second let's say instead of constructing a link I want to use a header and
> redirect someone
>  
> header("location: page.php?action=add&return=".$top );
>  
> So do I use urlencode here?

yes, cause your are defining a url parameter.

>  
> Lets say I have something that has been htmlentitied, and I want to use a
> header command, do I htmlentitydecode and then urlencode?

Lets say i open a bottle of wine for someone, should I take the
first sip and say yes this is a good wine or not, or let them taste
and decide.

I wonder this cause, well, i wonder why the url has anything to do
with htmlentities, cause it doesn't.. all it needs to know is that
what it is sending is ok (urlencoded). The url doesn't care what the
application did prior to sending the data.

Hopefully to explain my first thoughts:

  1. htmlentities should only be applied when outputing data that
     will be interpreted as html.

     ie: echoing to the browser.

  2. urlencode should be used when outputing data that will be
     interpreted within a url.

     ie: making an href or header('Location: ') call, in otherwords
     defining data being sent via http.

HTH,

Curt.
-- 
cat .signature: No such file or directory

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux