[PHP] Urlencode vs htmlentities

[Mark Steudel]

Lets say I have the following:
 
Current URL: http://www.domain.com/page.php?action=list
http://www.domain.com/page.php?action=listtop=/page.php?action=listid=3
top=/page.php?action=listid=3
 
$top = $_SERVER['PHP_SELF'].'?'.$_SERVER['argv']['0']
 
Now I want to create a URL with a return link in it
 
a href='.$_SERVER['PHP_SELF'].'?action=addamp;return='.$top.' Add
Something /a
 
Should I use htmlentites on $top first?
 
Second let's say instead of constructing a link I want to use a header and
redirect someone
 
header(location: page.php?action=addreturn=.$top );
 
So do I use urlencode here?
 
Lets say I have something that has been htmlentitied, and I want to use a
header command, do I htmlentitydecode and then urlencode?

Re: [PHP] Urlencode vs htmlentities

[comex]

 Should I use htmlentites on $top first?

AFAIK, all of what you said is correct except for that, where you
should use htmlentities(urlencode($top)).

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Urlencode vs htmlentities

[Curt Zirzow]

On Tue, Dec 06, 2005 at 12:05:10PM -0800, Mark Steudel wrote:
 Lets say I have the following:

Before I go further:

  htmlentities - escapes the output for html
  urlencode- escapes the output for a url

  
 Current URL: http://www.domain.com/page.php?action=list
 http://www.domain.com/page.php?action=listtop=/page.php?action=listid=3
 top=/page.php?action=listid=3
  
 $top = $_SERVER['PHP_SELF'].'?'.$_SERVER['argv']['0']

- Be careful when using PHP_SELF, probably not a factor here but
  consider if someone requested /page.php/foobar?action
  PHP_SELF will be 'page.php/foobar

- $_REQUEST['argv']... well there isn't any such requested
  variabled. 

  
 Now I want to create a URL with a return link in it
  
 a href='.$_SERVER['PHP_SELF'].'?action=addamp;return='.$top.' Add
 Something /a
  
 Should I use htmlentites on $top first?

no.. your are defining a url paremeter, so you should escape for a url

  
 Second let's say instead of constructing a link I want to use a header and
 redirect someone
  
 header(location: page.php?action=addreturn=.$top );
  
 So do I use urlencode here?

yes, cause your are defining a url parameter.

  
 Lets say I have something that has been htmlentitied, and I want to use a
 header command, do I htmlentitydecode and then urlencode?

Lets say i open a bottle of wine for someone, should I take the
first sip and say yes this is a good wine or not, or let them taste
and decide.

I wonder this cause, well, i wonder why the url has anything to do
with htmlentities, cause it doesn't.. all it needs to know is that
what it is sending is ok (urlencoded). The url doesn't care what the
application did prior to sending the data.

Hopefully to explain my first thoughts:

  1. htmlentities should only be applied when outputing data that
 will be interpreted as html.

 ie: echoing to the browser.

  2. urlencode should be used when outputing data that will be
 interpreted within a url.

 ie: making an href or header('Location: ') call, in otherwords
 defining data being sent via http.

HTH,

Curt.
-- 
cat .signature: No such file or directory

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php