This question already has an answer here:
- How can I prevent SQL injection in PHP? 28 answers
- How can I accept a hash mark in a URL via $_GET? 4 answers
I have this website where users can enter stable names to compete in games against other members. Usually it's fine as I can just escape or use addslashes to handle apostrophes and other such characters. What I am having an issue with is when users use a hash/pound/number sign in the stable name like the first example below or a bunch of special characters like the second example below...
#a new rising
ΔMi−1 = −αΣn=1NDi[n][Σj∈C{i}Fji[n - 1] + Fexti[[n-1]]
When this goes over as part of a url to a second page and the stable is a appended to the URL to be used as a GET variable to pull details from the database, nothing is returned. I have tried using urlencode, rawurlencode, and percent encoding on the $stable variable as is suggested in other questions on this site but nothing seems to work. Below is a sample of the code that has the issue...
Referring URL --- mydomain.com/stable.php?stable=#a new rising&season=59
Code for stable.php...
$stable = addslashes($_GET["stable"]);
$season = $_GET['season'];
echo $stable;
$sql = "SELECT total, wins, loss, ties FROM History_Stables WHERE stable = '$stable' AND season = '$season'";
$res = $link->query($sql);
$arr = $res->fetch_array();
$pts = $arr[total];
$w = $arr[wins];
$l = $arr[loss];
$t = $arr[ties];
And so on. What exactly am I missing here to get the hash/pound/number sign to be properly encoded as %23?
</div>