On Tue, Dec 06, 2005 at 12:05:10PM -0800, Mark Steudel wrote: > Lets say I have the following: Before I go further: htmlentities - escapes the output for html urlencode - escapes the output for a url > > Current URL: http://www.domain.com/page.php?action=list > <http://www.domain.com/page.php?action=list&top=/page.php?action=list&id=3> > &top=/page.php?action=list&id=3 > > $top = $_SERVER['PHP_SELF'].'?'.$_SERVER['argv']['0'] - Be careful when using PHP_SELF, probably not a factor here but consider if someone requested /page.php/foobar?action.... PHP_SELF will be 'page.php/foobar - $_REQUEST['argv']... well there isn't any such requested variabled. > > Now I want to create a URL with a return link in it > > <a href="'.$_SERVER['PHP_SELF'].'?action=add&return='.$top.'"> Add > Something </a> > > Should I use htmlentites on $top first? no.. your are defining a url paremeter, so you should escape for a url > > Second let's say instead of constructing a link I want to use a header and > redirect someone > > header("location: page.php?action=add&return=".$top ); > > So do I use urlencode here? yes, cause your are defining a url parameter. > > Lets say I have something that has been htmlentitied, and I want to use a > header command, do I htmlentitydecode and then urlencode? Lets say i open a bottle of wine for someone, should I take the first sip and say yes this is a good wine or not, or let them taste and decide. I wonder this cause, well, i wonder why the url has anything to do with htmlentities, cause it doesn't.. all it needs to know is that what it is sending is ok (urlencoded). The url doesn't care what the application did prior to sending the data. Hopefully to explain my first thoughts: 1. htmlentities should only be applied when outputing data that will be interpreted as html. ie: echoing to the browser. 2. urlencode should be used when outputing data that will be interpreted within a url. ie: making an href or header('Location: ') call, in otherwords defining data being sent via http. HTH, Curt. -- cat .signature: No such file or directory -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php