GET variables with spaces - they work, but is it correct or ok?

Question

I have a PHP page where I'm passing the city name via a "city" URL/GET variable. Currently, it's passing the actual city name even if it has spaces (eg .php?city=New York). I then take the $city GET variable and run a MySQL query against cities.name.

This works just fine - but I've always been under the impression any variables, URL/GET or otherwise should never have spaces. I'm more than capable of either replacing the spaces w/ underscores, or removing them, and putting them back in for the query...etc - but I thought I'd ask first in case spaces are completely fine, and it was just my superstition telling me otherwise.

Answer 1

Spaces are fine, and are generally encoded with +.

To be extra safe, use urlencode() on your values if manually adding them to your GET params.

echo urlencode('New York'); // New+York

CodePad.

Otherwise, if your form if submitting as GET params, just leave them as they are :)

I then take the $city GET variable and run a MySQL query against cities.name.

Make sure you are using the suitable database escaping mechanism to be safe from SQL injection.

Answer 2

This works fine without using encodeURI() or encodeURIComponent() for parameters with blank spaces from Javascript to Php or Python.

echo shell_exec("python test.py \"".$_POST['ytitle']."\" \"".$_POST['yurl']."\"");

Thanks for the note from https://stackoverflow.com/users/8712097/tom-aranda Here's the safer code.

system(escapeshellcmd("python GreaseMonkey_Php_Youtube_srt_generator.py ".$_POST['yurl']));