php query string addition

rgb192
rgb192 used Ask the Experts™
on
At the end of php query string
I add
or 1=1

but the text is changed to
%20or%201=1


how can I add
or 1=1 to end of url


I saw sql injection tutorials but none make sense too theoretical
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Kim WalkerWeb Programmer/Technician

Commented:
That is correct for url encoding. You cannot have spaces in a query string. They have been replaced with %20 which is recognized as a space by the server when it receives the request.
Most Valuable Expert 2011
Top Expert 2016
Commented:
The text or 1 = 1 is URL-encoded into or%201%20=%201.  When the information is found inside the $_GET array, it will have been URL-decoded, back into or 1 = 1.  So if you wanted to add or 1 = 1 to test SQL injection, just add or%201%20=%201 to the end of the URL.

PHP functions about URL-encoding:
http://php.net/manual/en/function.urlencode.php
http://php.net/manual/en/function.urldecode.php

General reference:
http://php.net/manual/en/book.url.php

Author

Commented:
full %20 answer with code showed me complete answer

thanks
Most Valuable Expert 2011
Top Expert 2016

Commented:
Thanks for the points.  Just as an aside, sometimes the blank can be URL-encoded into the plus sign, too.  So or 1 = 1 could look like or+1+=+1 and it would likely work correctly, too.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial