Reputation:
Replace spaces in URL with underline
How can I replace spaces in URL with a underline(_)?
$query = mysql_query("SELECT * FROM users WHERE username = '$_GET[user]'");
But if a user has a space in her/his username I wanna replace the space with an underline. So the URL for profile.php?user=John Johnson would be profile.php?user=John_Johnson.
How can I do this?
Thanks!
Upvotes: 2
Views: 4770
Answers (11)
Reputation: 342765
Biff,
Try this:
$user = urldecode($_GET['user']);
$user now contains 'John Smith' instead of 'John%20Smith', which I assume is why the query was failing.
$user = mysql_escape_string($user);
$query = mysql_query("SELECT * FROM users WHERE username = $user");
Your problem seems to be with URL Encoded characters preventing a match. Hope that helps.
Upvotes: 1
Reputation: 21
$path = "your website and the path here"; // like http://stackoverflow.com/index.php?id=1
$page = $_SERVER["QUERY_STRING"];
if(stristr($page, ' ')) {
$page = str_replace(" ","_" , $page);
$page = str_replace("%20%","_" , $page);
$page = str_replace("%20","_" , $page);
$page = str_replace("q=","" , $page);
echo "<meta http-equiv=\"refresh\" content=\"0; url=$path/$page\" />";
die();
}
If you got the page like website.com/index.phphdsdhdh you should remove this line
$page = str_replace("q=","" , $page);
if you want to stop sql injection you can use
addslashes();
or use this function
$page = strtolower($_SERVER["QUERY_STRING"]); if(stristr($page, 'union' or stristr($page, 'and' or stristr($page, 'or' or stristr($page, 'select'){ die("sql injection attack");}
put it in config
Upvotes: 0
Reputation: 45533
As mentioned elsewhere, str_replace will do what you are specifically looking for, but...
I'd be more worried about profile.php?user=John' DROP DATABASE--
Don't build queries like this. EVER. See SQL Injection for one reason why. Take a look at this article for the right way to do it.
Oh, and a comic to use as a memory aid to reinforce that you should NEVER do this.
EDIT: In response to your response (you're better off editing your original question so that it's obvious that you are clarifying your question). If you have the user 'John Johnson' stored in the database, but you want to access him with the URL profile.php?user=John_Johnson, you need to reverse the replacement you are doing:
$user = str_replace('_', ' ', $_GET['user']);
$user = mysql_escape_string($user);
$query = mysql_query("SELECT * FROM users WHERE username = '$user'");
// finns inte användaren så skriver vi ut ett felmeddelande
if (!mysql_num_rows($query)) exit('<p>The user you are looking for appears to be missing.</p>');
This will take profile.php?user=John_Johnson and produce the sql query: SELECT * FROM users WHERE username = 'John Johnson'
The sample code you replied with would take profile.php?user=John Johnson and produce the sql query: SELECT * FROM users WHERE username = 'John_Johnson' which I suspect is the opposite of what you want.
But again, I'd strongly recommend looking into prepared statements. mysql_escape_string is really a stop-gap measure. All it takes is forgetting to use it once and you've opened up your site to hacking.
Upvotes: 13
Reputation: 7797
Since you do not need regular expressions to do this replacement, you should avoid them since they have significant overhead.
Furthermore, since you're only after characters and not strings, you should go for the function written for character-to-character mapping: strtr()
$result = strtr($original, " ", "_");
Upvotes: 3
Reputation: 13435
You might want to look at preg_replace() and replace all " " with "_" like so:
$result = preg_replace("\s", "_", $_GET['user']);
But you should not be putting user input directly into a query like that. Look into PHP input sensitization.
EDIT: Sorry forgot that regex requires \s to mean a space.
Upvotes: 0
Reputation:
weird none of your codes seem to work... i have a user called John Johnson in the database. It works with the ones without space.
The code:
$user = str_replace(' ', '_', $_GET['user']);
$user = mysql_escape_string($user);
$query = mysql_query("SELECT * FROM users WHERE username = '$user'");
// finns inte användaren så skriver vi ut ett felmeddelande
if (!mysql_num_rows($query)) exit('<p>The user you are looking for appears to be missing.</p>');
Upvotes: 0
Reputation: 338406
Don't create SQL strings from unchecked user input.
At least use mysql_escape_string() to avoid being hacked on fist sight:
$user = str_replace(' ', '_', $_GET[user]);
$user = mysql_escape_string($user);
$query = mysql_query("SELECT * FROM users WHERE username = '$user'");
Upvotes: 3
Reputation: 2044
The str_replace function is what you are looking for. (There are some other alternatives but str_replace is enough for this case)
$query = mysql_query("SELECT * FROM users WHERE username = '" . str_replace(' ', '_', $_GET[user] . "'");
WARNING: You should seriously read something about SQL injection. Here is some introduction:
http://sk.php.net/security.database.sql-injection
Upvotes: 0
Reputation: 4315
Use str_replace() like this:
$query = mysql_query("SELECT * FROM users WHERE username = 'str_replace(' ', '_',$_GET[user])'");
Upvotes: 2
Reputation: 29880
You could just replace it in the actual variable using str_replace or strtr. Strtr is usually shown to be faster.
$newUsername = strtr($_GET['user'], ' ', '_');
Should do it, and your new query:
$query = mysql_query("SELECT * FROM users WHERE username = '$newUsername'");
Upvotes: 1
Related Questions
- Replacing Spaces with Underscores
- Url replacing avoiding double underscore
- PHP str_replace replace spaces with underscores
- MySql Replace part of a string with escape characters
- Passing value from database through URL in PHP having spaces
- MySQL query to replace spaces in a column with underscores
- Replace whitespace with hyphen in URL
- Replace a space with a +
- Where do I place str_replace(' ', '-', to remove spaces from url and load proper sql data
- How do I replace spaces into hyphens in an URL