0

I need to fetch the value of parameters but if a parameter contains a '+' sign like (g + 6) then it's only giving me (g 6), it's ignoring the '+' sign.

<?PHP
$volume = $_GET['vol'];
$title = $_GET['title'];
echo $title;
?>

am doing this but if title = "(g+6)" it's giving (g 6) ignoring the '+' sign

Chandra Sinha
  • 11
  • 1
  • 2
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – hppycoder Apr 08 '21 at 17:23
  • Specifically - `$sql = "select * from `$volume` where title = '$title' and author = '$author'";` takes whatever is passed in through the URL for `title` and `author` and sends directly to the database. Using params as mentioned in my other comment will protect your database against injections – hppycoder Apr 08 '21 at 17:24
  • 1
    Please don't change your question because we pick on your insecure SQL queries. We are trying to help you with your question but also look at other potential issues. – hppycoder Apr 08 '21 at 17:26
  • 1
    Duplicate of https://stackoverflow.com/questions/6855624/plus-sign-in-query-string – esqew Apr 08 '21 at 17:28

0 Answers0