Ampersand in GET, PHP

Question

I have a simple form that generates a new photo gallery, sending the title and a description to MySQL and redirecting the user to a page where they can upload photos.

Everything worked fine until the ampersand entered the equation. The information is sent from a jQuery modal dialog to a PHP page which then submits the entry to the database. After Ajax completes successfully, the user is sent to the upload page with a GET URL to tell the page what album it is uploading to --

$.ajax ({
    type: "POST",
    url: "../../includes/forms/add_gallery.php",
    data: $("#addGallery form").serialize(),
    success: function() {
        $("#addGallery").dialog('close');
        window.location.href = 'display_album.php?album=' + title;
    }
});

If the title has an ampersand, the Title field on the upload page does not display properly. Is there a way to escape ampersand for GET?

Thanks

Answer 1

In general you'll want to URL-encode anything that isn't completely alphanumerical when you pass them as parts of your URLs.

In URL-encoding, & is replaced with %26 (because 0x26 = 38 = the ASCII code of &).

To do this in Javascript, you can use the function encodeURIComponent:

$.ajax ({
    type: "POST",
    url: "../../includes/forms/add_gallery.php",
    data: $("#addGallery form").serialize(),
    success: function() {
        $("#addGallery").dialog('close');
        window.location.href = 'display_album.php?album=' + encodeURIComponent(title);
    }
});

Note that escape has the disadvantage that + is not encoded, and will be decoded serverside as a space, and thus should be avoided (source).

If you wish to do this serverside at the PHP level, you'll need to use the function urlencode.