0

So i'm trying to make a website without having any errors, however i keep getting this error:

line 31 column 107 - Error: Bad value display.php? url=A GUIDE TO THE PROJECT MANAGEMENT BODY OF KNOWLEDGE for attribute href on element a: Illegal character in query: not a URL code point.

And this is the part of the code that it is highlighting that is giving the error:

</tr><tr><td><a href='display.php? click=A GUIDE TO THE PROJECT MANAGEMENT BODY OF KNOWLEDGE'>

The '>' the symbol on the end is being highlighted, and it is repeating this for every row.

This is the line of the source code that is saying that is causing the error:

$book = $row['bookTitle'];
echo "<td><a href='display.php? url=".$book."'>\n" .$book."</a></td>";

Any ideas of how to stop this? Any help is appreciated :)

Improve this question
4
  • echo '<td><a href="display.php?url='.$book.'">'.$book.'</a></td>'; Commented Nov 24, 2014 at 15:52
  • Is that the actual generated HTML or something already rendered (such as your browser's DOM pane)? Commented Nov 24, 2014 at 15:59
  • Thats the code that I've written. If that's what your asking? Commented Nov 24, 2014 at 16:04
  • You've written that HTML? It's generated by PHP, isn't it? Commented Nov 24, 2014 at 16:08

2 Answers 2

Reset to default
3

Your a tag has a space before the query string parameter:

<a href='display.php? url=".$book."'>

this should be:

<a href='display.php?url=".$book."'>
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks, just gave that a go but i'm still getting the same error, saying that im using an illegal character '>'
try removing all the spaces from the query string using str_replace(' ', '-', $book) in place of $book - that may be confusing things
1

I'm not fully sure of the exact reason for the error but you're injecting raw random input into both a URL and an HTML document. You need to escape them properly:

Please note that the value of the href attribute contains a URL that's injected into HTML so you need both escaping mechanisms:

$book = $row['bookTitle'];
echo "<td><a href='display.php?url=" . htmlspecialchars(rawurlencode($book)) . "'>\n" .
    htmlspecialchars($book) . "</a></td>";

I've also fixed what I assume is a little typo (you probably expect $_GET['url'] rather than $_GET[' url']).

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.