Home/ Questions/Q 7786529
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-01T20:25:54+00:00

I have a search page (search.php) that calls an AJAX load and loads the

  • 0

I have a search page (search.php) that calls an AJAX load and loads the results into the #myresults DIV:

$('#myresults').load('results.php', {"q":"<?php echo urlencode($this->params['url']['q']); ?>","min":<?php echo urlencode($this->params['url']['min']); ?>,max:<?php echo urlencode($this->params['url']['max']); ?>});

The querystring looks like:

http://www.mydomain.com/search?q=test&min=50&max=100

results.php looks like this:

if (isset($data['q']) && isset($data['min']) && isset($data['max'])) {
 $q = urldecode($data['q']);
 $min = urldecode($data['min']);
 $max = urldecode($data['max']);
}

I’m grabbing the querystring values, then posting them to the results page. Is URLEncode needed or should I use htmlspecialchars()? I’ve seen JSON.stringify() and I’m just not sure how to “best” encode my data (so that it can’t be “broken” by those manipulating the querystring) and post it safely to the backend for use in my backend php code. I’m most concerned about apostrophes and quotes, how do i handle them?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    According to the jQuery documentation the load() you will get the variables as POST:

    The POST method is used if data is provided as an object; otherwise,
    GET is assumed.

    So you should just treat it as a normal POST.

    If you use the variables in a query for example you would use mysql_escape_string() to prevent MySQL injection.

    • 0