And doing a bit more, I find that '=' and '-' are passing through OK so I'll need to train my users to use an alternative to '+'. The choking seems to be with my parsing function, which I have pasted in below: ================================================= function sql_fltr($sql,$field,$input){ if(strlen($input)>0){ if( substr_count($input,"=")>0 | substr_count($input," -")>0 | substr_count($input," +")>0 ){ $output = ""; $temp = str_replace(" -","|-",(str_replace(" -","|-",($input)))); $temp = explode("|",$temp); for ($i = 0; $i <= sizeof($temp); $i++){ if (substr($temp[$i],0,1)=="*"){ $temp[$i] = $field." like '".rtrim(str_replace("*","%",$temp[$i]))."%'"; $output.= $temp[$i]."|"; } elseif (substr($temp[$i],0,1)=="-"){ $temp[$i] = " and ".$field." not like '".rtrim(str_replace("*","%",$temp[$i]))."'"; $output.= $temp[$i]."|"; } elseif (substr($temp[$i],0,1)=="="){ $temp[$i] = " and ".$field."='".rtrim(str_replace("=","",$temp[$i]))."'"; $output.= $temp[$i]."|"; } elseif (substr($temp[$i],0,1)!="+" && substr($temp[$i],0,1)!="-"&&substr($temp[$i],0,1)!="*" && substr($temp[$i],0,1)!="="){ $temp[$i] = "and ".$field." like '%".rtrim(str_replace("=","",$temp[$i]))."'"; $output.= $temp[$i]."|"; } else { $temp[$i] = " ".$field."='".rtrim($temp[$i])."'"; $output.= $temp[$i]."|"; } } $output = " AND ".substr($output,0,strlen($output)-1); } else { $temp = $input; if (substr($temp,0,1)=="*"){ $temp = $field." like '".rtrim(str_replace("*","%",$temp))."'"; } elseif (substr($temp,0,1)=="-"){ $temp = $field." not like '".rtrim(str_replace("*","%",$temp))."'"; } elseif (substr($temp,0,1)=="="){ $temp = $field."='".rtrim(str_replace("=","",$temp))."'"; } elseif (substr($temp,0,1)!="+" && substr($temp,0,1)!="-"&&substr($temp,0,1)!="*" && substr($temp,0,1)!="="){ $temp = $field." like '%".rtrim(str_replace("=","",$temp))."'"; } else { $temp = $field."='".rtrim($temp)."'"; } $output = " AND ".$temp; } } else { $output = ""; } return $output; } ================================================= This works fine if the user has eneterd either no control or the * wildcared with the criteria. Any suggestions? Cheers George > -----Original Message----- > From: George Pitcher [mailto:george.pitcher@xxxxxxxxxxx] > Sent: 20 May 2004 2:33 pm > To: php-windows@xxxxxxxxxxxxx > Subject: RE: Passing +, =, - at post and get > > > Charles, > > No way! This site will only have about 3-4 users as its an > intranet and I'll > be parsing everything at the server end. > > George > > > > -----Original Message----- > > From: Charles P. Killmer [mailto:charlesk@xxxxxxxxxxxxxxxxxxxxx] > > Sent: 20 May 2004 2:31 pm > > To: php-windows@xxxxxxxxxxxxx > > Subject: RE: Passing +, =, - at post and get > > > > > > I hope you are not allowing the client to send T-SQL through the query > > string. Consider them sending something like > > File.php?Query='; drop table XXX; -- > > > > Charles Killmer > > > > -----Original Message----- > > From: George Pitcher [mailto:george.pitcher@xxxxxxxxxxx] > > Sent: Thursday, May 20, 2004 8:25 AM > > To: php-windows@xxxxxxxxxxxxx > > Subject: Passing +, =, - at post and get > > > > Hi, > > > > I want to be able to pass the '=', '+' and '-' characters both from a > > web form and as part of a url, to enable a better way of searching. > > However, these characters are choking my IIS webserver and not getting > > through to the script. > > > > Can anyone suggest a better way of achieving this? > > > > Cheers > > > > George > > > > -- > > PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: > > http://www.php.net/unsub.php > > > > -- > > PHP Windows Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > -- > PHP Windows Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > -- PHP Windows Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php