GET带有空格的变量-它们起作用，但是正确或确定吗? [英] GET variables with spaces - they work, but is it correct or ok?

问题描述

我有一个PHP页面，其中通过"city" URL/GET变量传递城市名称.当前，即使有空格(例如.php?city=New York)，它也会传递实际的城市名称.然后，我使用$ city GET变量并针对city.name运行一个MySQL查询.

I have a PHP page where I'm passing the city name via a "city" URL/GET variable. Currently, it's passing the actual city name even if it has spaces (eg .php?city=New York). I then take the $city GET variable and run a MySQL query against cities.name.

这很好用-但我一直给人的印象是，任何变量(URL/GET或其他方式都不应有空格).我非常有能力替换带下划线的空格，或者删除它们，然后将它们放回查询...等等，但是我想我首先要问的是空格是完全可以的，这是只是我的迷信告诉我否则.

This works just fine - but I've always been under the impression any variables, URL/GET or otherwise should never have spaces. I'm more than capable of either replacing the spaces w/ underscores, or removing them, and putting them back in for the query...etc - but I thought I'd ask first in case spaces are completely fine, and it was just my superstition telling me otherwise.

推荐答案

空格很好，通常使用+进行编码.

Spaces are fine, and are generally encoded with +.

为了更加安全，如果将值手动添加到GET参数中，请在值上使用urlencode().

To be extra safe, use urlencode() on your values if manually adding them to your GET params.

echo urlencode('New York'); // New+York

CodePad .

否则，如果您的表单以GET参数的形式提交，则将它们保持原样:)

Otherwise, if your form if submitting as GET params, just leave them as they are :)

然后我使用$ city GET变量，并针对city.name运行一个MySQL查询.

I then take the $city GET variable and run a MySQL query against cities.name.

请确保您使用的是合适的数据库转义机制，以防止SQL注入.

Make sure you are using the suitable database escaping mechanism to be safe from SQL injection.

这篇关于GET带有空格的变量-它们起作用，但是正确或确定吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！