Search code examples
phpmysqlhashampersand

Ampersand and hash crash my MYSQL Query

I'm using this code to obtain data from a mysql query.

    if ($filter == "All" && $filter != "") {date_default_timezone_set('America/Denver');
$todays123 = date("Y-m-d H:i");
$query = "SELECT * FROM events WHERE events.name LIKE '%".$search."%' AND events.user = '".$_SESSION['username']."' AND events.end > '".$todays123."'";
}else{ $todays123 = date("Y-m-d H:i");
$query = "SELECT * FROM events WHERE  events.name LIKE '%".$search."%'   AND events.price = '".$filter."' AND events.user = '".$_SESSION['username']."' AND events.end > '".$todays123."' OR events.description LIKE '%".$search."%'    AND events.price = '".$filter."' AND events.user = '".$_SESSION['username']."' AND events.end > '".$todays123."' OR events.user = '".$_SESSION['username']."' AND events.address LIKE '%".$search."%'   AND events.price = '".$filter."' AND events.end > '".$todays123."'  ";
}

Here's my javascript code

function user_display() {

var search = document.getElementById("search").value;

if (search == "" || search == null) {
    search="";
} 

var filter = document.getElementById("filter").value;

if (window.XMLHttpRequest) {// code for IE7+, Firefox, Chrome, Opera, Safari
    xmlhttp=new XMLHttpRequest();
} else {// code for IE6, IE5
    xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}

xmlhttp.onreadystatechange=function() {
    if (xmlhttp.readyState==4 && xmlhttp.status==200) {
        document.getElementById("table-content").innerHTML=xmlhttp.responseText;            
    }
}
    xmlhttp.open("GET","./xxx.php?action=display&search="+search+"&filter="+filter, true);
xmlhttp.send();

}

It matches correctly when the search value does not contain "&" and a "#." When I enter a ampersand or hash symbol the query crashes and does not display anything.

Any suggestions on why it is doing this? Thanks in advance

Solution

  • You probably should be using encodeURIComponent() in your JavaScript. It's likely that you're not getting results because it's not passing anything in the search variable (or cutting it off short). Consider if the search is "a&foo=c&". The URL you are requesting is now xxx.php?action=display&search=a&foo=c&filter=... so you end up with another GET variable named foo

    var search = encodeURIComponent(document.getElementById("search").value);

    Do the same for filter if it's something the user will supply.