GET variables with spaces - they work, but is it correct or ok?

I have a PHP page where I'm passing the city name via a "city" URL/GET variable. Currently, it's passing the actual city name even if it has spaces (eg .php?city=New York). I then take the $city GET variable and run a MySQL query against cities.name.

This works just fine - but I've always been under the impression any variables, URL/GET or otherwise should never have spaces. I'm more than capable of either replacing the spaces w/ underscores, or removing them, and putting them back in for the query...etc - but I thought I'd ask first in case spaces are completely fine, and it was just my superstition telling开发者_StackOverflow me otherwise.

Spaces are fine, and are generally encoded with +.

To be extra safe, use urlencode() on your values if manually adding them to your GET params.

echo urlencode('New York'); // New+York

CodePad.

Otherwise, if your form if submitting as GET params, just leave them as they are :)

I then take the $city GET variable and run a MySQL query against cities.name.

Make sure you are using the suitable database escaping mechanism to be safe from SQL injection.

This works fine without using encodeURI() or encodeURIComponent() for parameters with blank spaces from Javascript to Php or Python.

echo shell_exec("python test.py \"".$_POST['ytitle']."\" \"".$_POST['yurl']."\"");

Thanks for the note from https://stackoverflow.com/users/8712097/tom-aranda Here's the safer code.

system(escapeshellcmd("python GreaseMonkey_Php_Youtube_srt_generator.py ".$_POST['yurl']));

Space in URL is fine. One thing you need to take note is whenever working with variable taken from outside your control (URL variable, Cookies, etc, etc). Always remember to clean it up to prevent sql injection, XSS, and other malicious attack.