PHP/HTML Error - Illegal Character

Question

So i'm trying to make a website without having any errors, however i keep getting this error:

line 31 column 107 - Error: Bad value display.php? url=A GUIDE TO THE PROJECT MANAGEMENT BODY OF KNOWLEDGE for attribute href on element a: Illegal character in query: not a URL code point.

And this is the part of the code that it is highlighting that is giving the error:

</tr><tr><td><a href='display.php? click=A GUIDE TO THE PROJECT MANAGEMENT BODY OF KNOWLEDGE'>

The '>' the symbol on the end is being highlighted, and it is repeating this for every row.

This is the line of the source code that is saying that is causing the error:

$book = $row['bookTitle'];
echo "<td><a href='display.php? url=".$book."'>\n" .$book."</a></td>";

Any ideas of how to stop this? Any help is appreciated :)

Answer 1

I'm not fully sure of the exact reason for the error but you're injecting raw random input into both a URL and an HTML document. You need to escape them properly:

• For URLs: rawurlencode()
• For HTML: htmlspecialchars()

Please note that the value of the href attribute contains a URL that's injected into HTML so you need both escaping mechanisms:

$book = $row['bookTitle'];
echo "<td><a href='display.php?url=" . htmlspecialchars(rawurlencode($book)) . "'>\n" .
    htmlspecialchars($book) . "</a></td>";

I've also fixed what I assume is a little typo (you probably expect $_GET['url'] rather than $_GET[' url']).

Answer 2

Your a tag has a space before the query string parameter:

<a href='display.php? url=".$book."'>

this should be:

<a href='display.php?url=".$book."'>