escape characters at a mysql query from php

Question

I have a php page that dislplays info from a mysql table like this

$query = "SELECT * FROM `diccionary` WHERE `entry` LIKE 'a%' ORDER BY `entry`";

and each result I use it as input for a second query to a different php file:

$escaped = mysql_real_escape_string($row['entry']);
echo "".$row['entry']." |

some of te words that are returned at this page have next formats ant they are returned this way:
word1 word2
word'
word+
word (-)

but they are not sent correctly at the href=editor.php?entry=$escaped part, actually only the ones ended in apostrophe are ok because I'm using the "mysql_real_escape_string" function, I tried converting the others into escaped characters but it didn't work, like ("+", "+", $row['entry']). These are the links I see in all these cases:

2 words = editor.php?entry=word1 (without the following space nor word2, this gives me back all the words, if any, which match with word1, but not the compound of word1 word2).

word' = editor.php?entry=word\' (which is correct because of the function, and it also gives me back the correct word).

word+ = editor.php?entry=word+ (the + should be escaped because if I click on the produced link it gives me no results, blank page).

word (-) = editor.php?entry=word (this is similar to the case of 2 words, and besides it has the parenthesis which should be escaped also, this one also produces blank page).

I've been looking arround and I could only find the way of fixing the apostrophe, I don't know how to fix the rest of cases, Any help would be valuable.

Thanks a lot.

Mike Brant · Accepted Answer

You need to URL-encode your data for output into HTML href property.

$query_string = urlencode($row['entry']);
echo " |

The mysql_real_escape_string function is used for escaping data for use in a query to MySQL not for use on the query results.

escape characters at a mysql query from php

Answers (2)

Related Questions