Send get form without special characters.

Question

I'm know this is simple, but I've been searching everywhere for the answer. I think I maybe over thinking it and making too complicated.

Have a form that sends a get request to populate a listings page, I noticed that when I have the URL String =

../view.php?keyword=a+b all works great.

However, when user enters special character on form and url changes to:

../view.php?keyword=a+%2Cb I get no return values.

I've tried using urlencode() rules and also FILTER_SANITIZE_ENCODED, but can't see to get the code to work with special charters. I've also made sure I am using charset UTF-8.

How can I make the get request to ignore the special charters in the url?

CODE:

  <?php


    if (isset($_REQUEST["water-selection"]) || isset($_REQUEST["city-selection"]) || isset($_REQUEST["bed-selection"]) || isset($_REQUEST["bath-selection"]) || isset($_REQUEST["keyword"]) || isset($_REQUEST["price"]) || isset($_REQUEST["pending"])){
        $where = " WHERE 1=1 ";
        if (isset($_REQUEST["water-selection"]) && $_REQUEST["water-selection"]!="Water Selection"){
            if ($where != ""){ $where .= " AND ";}
            $where .= " field_RESIBDWR = '" . $_REQUEST["water-selection"] . "'";
        }
        if (isset($_REQUEST["city-selection"]) && $_REQUEST["city-selection"]!="City Selection"){
            if ($where != ""){ $where .= " AND ";}
            $where .= " field_City = '" . $_REQUEST["city-selection"] . "'";
        }
        if (isset($_REQUEST["bed-selection"]) && $_REQUEST["bed-selection"]!="Bed(s)"){
            if ($where != ""){ $where .= " AND ";}
            $where .= " field_Bedrooms >= '" . $_REQUEST["bed-selection"] . "'";
        }
        if (isset($_REQUEST["bath-selection"]) && $_REQUEST["bath-selection"]!="Bath(s)"){
            if ($where != ""){ $where .= " AND ";}
            $where .= " field_Bathrooms >= '" . $_REQUEST["bath-selection"] . "'";
        }


if (isset($_GET['keyword']) && '' !== trim($_GET['keyword'])) {
  $terms = explode(' ', $_GET['keyword']);
  $fields = array('ZipCode', 'MLNumber', 'RESIBDWR',
    'ListingOfficeName', 'RESIADDI', 'MarketingRemarks',
    'StreetNumber', 'StreetDirection', 'StreetName', 'StreetSuffix', 'State');
  $criteria = array();
  foreach ($terms as $term) {
    if (!$term) continue;
    $term = @mysql_real_escape_string($term);
    $c = array();
    foreach ($fields as $field) {
      $c[] = 'field_'.$field.' LIKE \'%'.$term.'%\'';
    }

    $criteria[] = implode(' OR ', $c);
  }


  if ($criteria) {
    $condition = '('.implode(")\nAND (", $criteria).')';
    if ($where) $where .= ' AND ('.$condition.')';
    else $where = $condition;
  }
}



        if (isset($_REQUEST["price"])){
            $price = explode(";",urldecode($_REQUEST["price"]));
            if ($where != ""){ $where .= " AND ";}
            $where .= " field_ListingPrice between " . $price[0] . " AND " . $price[1] . " ";
        }
        if (isset($_REQUEST["pending"])){
            if ($where != ""){ $where .= " AND ";}
            $where .= " field_Status = 'Pending'";
        }
    }
    else{
        $where = " WHERE `field_ZipCode` IN (SELECT zip FROM zipcodes)";
    }


    $sql = "SELECT count(id) as count FROM rc_Data $where";

  $res = mysql_query($sql,$con) or die('Query failed: ' . mysql_error() . "<br />\n$sql");
    $records_per_page = 10;

    while($row = mysql_fetch_array($res)){
        $total_rec = $row["count"];
    }

    $total_pages = ceil($total_rec / $records_per_page);

    $curr_page = 1;

    if (isset($_REQUEST["page"])){$curr_page=$_REQUEST["page"];}

    $start_index = ($curr_page-1) * $records_per_page;
    if ($start_index  <0) {$start_index = 0;}
    //$sql = "SELECT *, round(3956 *2 * ASIN( SQRT( POWER( SIN( ( {$lati} - field_Latitude ) * pi( ) /180 /2 ) , 2 ) + COS( {$lati} * pi( ) /180 ) * COS( field_Latitude * pi( ) /180 ) * POWER( SIN( ( {$longi} - field_Longitude) * pi( ) /180 /2 ) , 2 ) ) ),0) AS distance FROM rc_Data order by distance, (`field_ListingAgentMLSID` = 'H10207') DESC, `field_ListingAgentMLSID`, field_ListingPrice DESC, id desc limit {$start_index}, {$records_per_page}";
    //$sql = "SELECT *, round(3956 *2 * ASIN( SQRT( POWER( SIN( ( {$lati} - field_Latitude ) * pi( ) /180 /2 ) , 2 ) + COS( {$lati} * pi( ) /180 ) * COS( field_Latitude * pi( ) /180 ) * POWER( SIN( ( {$longi} - field_Longitude) * pi( ) /180 /2 ) , 2 ) ) ),0) AS distance FROM rc_Data order by (`field_ListingAgentMLSID` = 'H10207') DESC, `field_ListingAgentMLSID`, distance, field_ListingPrice DESC, id desc limit {$start_index}, {$records_per_page}";
    $sql = "SELECT *, round(3956 *2 * ASIN( SQRT( POWER( SIN( ( {$lati} - field_Latitude ) * pi( ) /180 /2 ) , 2 ) + COS( {$lati} * pi( ) /180 ) * COS( field_Latitude * pi( ) /180 ) * POWER( SIN( ( {$longi} - field_Longitude) * pi( ) /180 /2 ) , 2 ) ) ),0) AS distance FROM rc_Data  $where order by (`field_ListingAgentMLSID` = 'H10207') DESC, field_ListingPrice DESC limit {$start_index}, {$records_per_page}";
    $res = mysql_query($sql,$con) or die('Query failed: ' . mysql_error() . "<br />\n$sql");
    //echo $sql;

    unset($_GET['page']);
    $qs = http_build_query($_GET);
?>

Answer 1

I don't think the encode is the problem.

In this line:

$terms = explode(' ', $_GET['keyword']);

You explode the querystring keyword variable based only on space.

If you send keyword=a+%2Cb as a parameter, you can see by echoing $_GET['keyword'] that this is automatically translated to a ,b.

So when you split by space, you get two terms: a and ,b, which is not what you want.

Later you use $terms:

foreach ($fields as $field) {
  $c[] = 'field_'.$field.' LIKE \'%'.$term.'%\'';
}

So you basically add sql where constraints using LIKE '%a%', LIKE '%,b%'.

You must define which delimiters to split keyword, so something like:

$terms = explode(' ,', $_GET['keyword']);

would make that second example work (i.e. producing LIKE '%a%', LIKE '%b%').

EDIT

A stronger form of explode is preg_split. Try this:

$terms = preg_split("/[\s,]+/", $_GET['keyword']);