passing quotes through url PHP

Question

I'm passing ProductName through a URL and 2 of the names have single quotation marks in them (which is causing the buttons to not work) is there any work around for this? I've tried playing with htmlentities() but that's not fixing the issue. I get the Uncaught SyntaxError: Unexpected identifier error when I try clicking on a Product that has a quote in it's name.

    <?php

$search = $_GET['search'];

require 'db/connect.php';


$result = $db->query("SELECT * FROM products WHERE ProductSearch = '$search'");
if($result->num_rows){
echo '<table border="0" cellspacing="0" style="width:100%;">';
echo '<tr><td></td><td><u>Product Name</u></td><td><u>Price</u></td><td><u>Wisconsin Artisans</u></td></tr>';
while($row = $result->fetch_assoc()){
    $ProductId    = $row['ProductId'];
    $ProductImage = htmlentities($row['ProductImage'], ENT_QUOTES, 'UTF-8');
    $ProductName  = $row['ProductName'];
    $ProductPrice = $row['ProductPrice'];
echo '<tr>';
echo '<td><a href="productpage.php?productid=', $row['ProductId'],'"><img height="80px" width="80px "src="', $row['ProductImage'] ,'"/></a></td>';
echo '<td><a id="productlink" href="productpage.php?productid=', $row['ProductId'],'">', $row['ProductName'], '</a></td>';
echo '<td> $', $row['ProductPrice'], '</td>';
echo '<td> ', $row['ProductVendor'], '</td>';
//echo '<td><input type=button onClick="location.href=\'cart.php?ProductId=', $row['ProductId'], '\'" value=\'Add to Cart\' id="addtocart"></td></tr>';
echo '<td><input type=button onClick="location.href=\'cart.php?ProductId=', $ProductId, '&ProductName=', $ProductName, '&ProductPrice=', $ProductPrice, '&ProductQty=1\'" value=\'Add to Cart\' id="addtocart"></td></tr>';
}

echo '</table>';
$result->free();

}
else{

    echo '<h3 style="color:black;">No products here just yet, but there will be soon!</h3>';

}
?>

Answer 1

This changing this 'location.href=\'cart.php?ProductId=', $ProductId, '&ProductName=', $ProductName, '&ProductPrice=', $ProductPrice, '&ProductQty=1\'"

To this: location.href=\'cart.php?ProductId='. $ProductId .'&ProductName='. $ProductName .'&ProductPrice='. $ProductPrice .'&ProductQty=1\'"

Also try using heredoc for multiline strings and use the curly braces to render variable values, you won't have problems with quitation:

echo <<<END
multi
line
string
variable={$var}
awesome!
END;

see https://php.net/language.types.string

Answer 2

$ProductImage = htmlentities($row['ProductImage'], ENT_QUOTES, 'UTF-8');
...
echo '....', $row['ProductImage'],'">....

You already converted both double and single quotes to their HTML entities, but then you don't use the variable in which you did so. You should be using $ProductImage rather than $row['ProductImage'] in your echo.

Answer 3

Change this line:

echo '<td><input type=button onClick="location.href=\'cart.php?ProductId=', $ProductId, '&ProductName=', $ProductName, '&ProductPrice=', $ProductPrice, '&ProductQty=1\'" value=\'Add to Cart\' id="addtocart"></td></tr>';

to:

echo '<td><input type=button onClick="location.href=\'cart.php?ProductId=', $ProductId, '&ProductName=', urlencode($ProductName), '&ProductPrice=', $ProductPrice, '&ProductQty=1\'" value=\'Add to Cart\' id="addtocart"></td></tr>';

urlencode() will encode the product name correctly so it can be put in a URL. This will convert quote characters to %39.