GET variables with spaces - they work, but is it correct or ok?

Question

I have a PHP page where I\'m passing the city name via a \"city\" URL/GET variable. Currently, it\'s passing the actual city name even if it has spaces (eg .php?city=

Answer 1

Space in URL is fine. One thing you need to take note is whenever working with variable taken from outside your control (URL variable, Cookies, etc, etc). Always remember to clean it up to prevent sql injection, XSS, and other malicious attack.

Answer 2

This works fine without using encodeURI() or encodeURIComponent() for parameters with blank spaces from Javascript to Php or Python.

echo shell_exec("python test.py \"".$_POST['ytitle']."\" \"".$_POST['yurl']."\"");

Thanks for the note from https://stackoverflow.com/users/8712097/tom-aranda Here's the safer code.

system(escapeshellcmd("python GreaseMonkey_Php_Youtube_srt_generator.py ".$_POST['yurl']));

Answer 3

Spaces are fine, and are generally encoded with +.

To be extra safe, use urlencode() on your values if manually adding them to your GET params.

echo urlencode('New York'); // New+York

CodePad.

Otherwise, if your form if submitting as GET params, just leave them as they are :)

I then take the $city GET variable and run a MySQL query against cities.name.

Make sure you are using the suitable database escaping mechanism to be safe from SQL injection.