I'm stuck with a php issue.
I've got to send a sql query with a POST form with an ajax request.
This query is like :
SELECT * FROM table WHERE field LIKE '%512%'
The problem is when i take back this query from POST var in php, it shows :
SELECT * FROM table WHERE field LIKE 'Q2%'
and it obviously fail...
I tried changing to utf-8 it didn't change anything.
Javascript seems to send the correct text, but php change it when reading POST.
Is ther a way I can prevent php from reading %51 as ascii code ?
Just in case, the website is written with Code Igniter.
Thanks
Don't send entire SQL queries from a Javascript client to a server. Just don't. That's worse than an SQL injection vulnerability, it's simply carte blanche for query execution by anyone for anything.
Data in HTTP requests is typically encoded using percent encoding, and guess what: %51 happens to stand for "Q" in this encoding. You need to properly encode your data when sending it in an HTTP request, for example using encodeURIComponent(). If you want to send "%51", you need to actually be sending %2551. The specifics will depend on how you're sending that data exactly.
Also consider reading The Great Escapism (Or: What You Need To Know To Work With Text Within Text).
Though you can use %25512%, but I agree with deceze.
Using %25 will be interpreted to % sign
so use %25Your number
POST Data : URL encoding replaces unsafe ASCII characters with a "%" followed by two hexadecimal digits.
First : encode data using javascript function.
var res = encodeURI("SELECT * FROM table WHERE field LIKE '%512%'");
then send the data using ajax.
In PHP, Decode data using function :
$data=urldecode(string $_POST['yourdata']);
For further information you can go through these links:
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI
http://php.net/manual/en/function.urldecode.php
http://ascii.cl/htmlcodes.htm
Related
I've got a weird scenario going on here.
On my localhost running WAMP server (Apache, MySQL, PHP), I've created a webpage that displays a list of messages from a table in my database.
Let's say the DIV container was called: #message-list
This list gets displayed correctly (when the page is launched, PHP renders the whole page).
The HTML markup that PHP echoes-out works just fine.
The MySQL database lookup therefore also works! Great.
Now...
With a bit of AJAX and jQuery magic, I've created a form to add more messages on-the-fly, by sending a POST request to a PHP scripts that uses the SAME underlying code that generated the initial #message-list DIV.
The AJAX'ed PHP script does two things:
add a record for the new message from the user;
echoes the list (which should be updated with the new message now);
When the AJAX response comes back to the browser, the JavaScript side replaces the old list with the new #message-list content.
Now this... partially works.
What goes wrong - On one given page, it seems some of my previous posts are somehow "corrupting" something inside the AJAX request on the PHP side, resulting a null response (basically no HTML code gets generated to replace the #message-list DIV tag).
On some other pages though, the AJAX response works fine.
So my question is:
Is it possible that some String data in the Database breaks the execution of my PHP script because of some invalid character, badly encoded, or a quote / double-quote?
I've tried using PHP's htmlentities() and mysql_real_escape_string() functions to solve this, but one of my pages still doesn't properly refreshes the list after the AJAX response is received.
Could it just be that I just need to cleanup / sanitize the existing content in my table?
If so, is there any easy script / query I can use to do this?
Thanks!
EDIT #1:
MySQL version = 5.5.24-log
By using mysql_client_encoding, this shows "latin1" (ah HA! That may be the issue then!)
In PHP, using the mysql_... methods (such as mysql_connect, mysql_select_db, mysql_query, etc.);
Sample of database table with possible issue:
http://pastebin.com/PjLVmXEF
By the looks of it, many developers say PDO is recommended. I'll give that a shot and see if all errors vanish. Thanks a lot for your help so far everyone!
EDIT #2:
My current solution has been this:
I've used these queries to modify my database and the table with the encoding problem:
// SQL queries:
ALTER DATABASE timegrasp charset=utf8;
ALTER TABLE tg_messages CONVERT TO CHARACTER SET utf8 COLLATE utf8_general_ci;
Second, I noticed some characters in a specific record was not displaying correctly (an  around some double-quoted sentences). So I manually backspaced and reinserted the double-quote in MySQL Query Browser to be sure it was completely gone.
On the PHP side, I only encode the messages on the way "in" to the database, with this:
$htmlConverted = htmlentities( $pMessage, ENT_COMPAT | ENT_HTML401, "UTF-8" );
return mysql_real_escape_string( $htmlConverted );
And make sure I begin my MySQL connection with this:
mysql_set_charset("utf8", $DB_LINK);
Then, I can just read the String directly from the table without any decoding / conversion.
Finally, to test this - I copied the same message from the source (a Skype chat with my client) which had the special characters, pasted it in my web form, and now it works fine! :)
I'm not certain all the steps and parameters above were necessary, but this is what helped fix my issue.
It would be good to know for future reference though if any of this is bad practice or common "dont's" mistake when handling special characters in MySQL tables.
The PHP json_encode function refuses to process strings that are invalid in UTF-8: it returns null. If you don't set a character encoding for the database connection it's possible that some other encoding is being used -- not UTF-8 -- and the data you pass to this function is in fact not valid UTF-8.
If you mentioned details such as which database API and which connection parameters you are using I could give further advice...
I'm storing data in a MySQL database that may have some special characters. I'm wondering how to store it so that these characters are preserved if they're either output to HTML via PHP OR via JavaScript, e.g. createTextNode.
For example, the division symbol (÷) has the html code ÷, and when I store it as that it shows up fine when put directly into HTML by PHP, but when I pull it into JavaScript using $.getJSON and then insert it with createTextNode it shows up looking like ÷.
I also tried storing the symbol in the SQL directly, but my understanding is that the column would need to be changed from VARCHAR to NVARCHAR and that would cause a performance hit that doesn't seem necessary.
Given that I can modify the SQL, the PHP, or the JavaScript, is there an easy fix here? Maybe a way to unescape the HTML entity in JavaScript?
As answered by Yogesh, you should switch your collation of the DB to utf8_general_ci
So there's probably two things going on:
JSON escapes special characters.
Somewhere, something in your code flow is URL encoding the strings too.
So you just need to decode the string in your JavaScript, or you need to find what part of your code is URL encoding those strings and fix it.
I am using codeigniter in an app. There is a form. In the textarea element, I wrote something including
%Features%
However, when I want to echo this by $this->input->post(key), I get something like
�atures%
The '%Fe' are vanished.
In main index.php file of CI, I tried var_dump($_POST) and I see the above word is fully ok. but when I am fetching it with the input library (xss filtering is on) I get the problem.
When the XSS filtering is off, it appears ok initially. however, if I store it in database and show next time, I see same problem (even the xss filtering is off).
%Fe happens to look like a URL-encoded sequence %FE, representing character 254. It's being munched into the Unicode "I have no idea what that sequence means" glyph, �.
It's clear that the "XSS filter" is being over-zealous when decoding the field on submission.
It's also very likely that a URL-decode is being run again at some point later in the process, when you output the result from the database. Check the database to make sure that the actual string is being represented properly.
First: Escape the variables before storing them into db. % has special meaning in SQL.
Second: % also has special meaning in URLs eg. %20 is %FE will map to some character which will be decoded by input()
When encoding newline of textarea before storing into mysql using PHP with rawurlencode function encodes newline as %0D%0A.
For Example:
textarea text entered by user:
a
b
encoding using rawurlencode and store into database will store value as a%0D%0Ab
When retrieving from database and decoding using rawurldecode does not work and code gives error. How to overcome this situation and what is the best way to store and retrieve and display textarea values.
can you first encode this textarea string using base64_encode and then perform a base64_decode on the same, if the above does not work for you.
If the textarea does not contain URLs, you should rather use base64_encode then rawurlencode and then store as normal.
You simply should not use rawurlencode for escaping data for your database.
Each target format has it's own escaping method which in general terms makes sure it is stored/display/transferred safely from one place to another, and it doesn't need decoding at the other end.
For instance:
displaying text in HTML, use htmlentities or htmlspecialchars
storing in database, use mysqli_real_escape_string, pg_escape_string, etc...
transferring variablename, use urlencode
transferring variablecontent, use rawurlencode
etc...
You should notice that decoding these things is often done by the browser/database. So no data is actually stored escaped. And decoding doesn't need te be done by your code.
The problem is probably because you escape a sequence with rawurlencode, but your database expected the escaped format for the specific brand of database. And de-escaped it using that assumption, which was wrong, which messed up your string.
Conclusion: find out what brand database you are using, look up the specific escape function for that database, and use the proper escaping function on all your content "transferral".
P.S.: some definition may not be correct, please comment on that. I wanted to make the idea stick but am probably not using all the right terms.
First of all it is very uncommon to run textarea through urlencode()
urlencode was not designed for this purpose.
Second, if you still want to do this, then maybe the problem comes from database. First you need to tell us what database you using and what TYPE you using for storing this data: do you store it as TEXT or as BINARY data? Have you setup the correct charset in database?
The example web page has 2 fields and allows a user to enter a title and code. Both fields would later be embed and displayed in an HTML page for viewing and/or editing but not execution. In other words, any PHP or javascript or similar should not run but be displayed for editing and copying.
In this case, what is the best way to escape these fields before database insertion and after (for HTML display)
You need to use the function htmlspecialchars() in php
that will change any special characters (eg < and >) into their special HTML encoded characters (eg < and >). When you get these from the database and output them as HTML they will display as code, but won't harm your script or execute.
I faced with the same problem a few days back, to put the codes (javascript or PHP ) in the html in a non executable way, I used textarea, it solved the purpose.
The problem however, was with the database. I cannot use the typical escape functions with the data, as it is affecting my data, for example the tags are getting messed up.
To solve this problem, I encoded the data in base 64 format before putting it in the database. So what is happening is my JavaScript code is encoded and the resultant code is no longer a Javascript code and I can use the escape functions on this and store it in the database.
I am open to suggestions, feel free to comment.