I have a object with some data being posted to a php script from a javascript. This data is coming from a for, so the user will will out a form, when they hit enter an Ajax script will take the form database, put it into an object then post it to my php encoding it with JSON.
Now i'm new to stuff like JSON so im not 100% sure what its doing, i've read a bit online and my conclusion is that it encodes the data with a sort of universal encoding that all programming languages have..... Maybe not the best description of it but hey. So this isn't doing the same thing as escaping the data is it?
Any, before i process the data and put in into a database i want to escape it but im not sure of the best way to go about this? is there a way i could escape the hole object? Any tips or tricks for this sort of thing?
No, jsons are't escaped at all.
On PHP side you could use json_decode to retrive a decoded form of the data then you will access all of the original object property as a PHP array.
JSON indeed is "universal" in that it is UTF-8 by default, and multi-byte sequences are escaped in \uuuuu format.
However, if you want to store the entire JSON object in the database as-is, that doesn't take away the need to escape the entire string before you insert it into the database, using the string escaping function of your database (or parametrized queries if your library supports them).
Encoding something in JSON is no the same as escaping it. Basically JSON is a serialization format based on Javascript object literals. So on the php side you need to:
Decode the json to PHP
Validate the vales
Escape the values
Insert the values into your db
After you decode the JSON you will be left with an array (see json_decode, and pass true as the second arg to make sure its an array and not a mic of stdObject and arrays).
So then you can pull out the data you ned and escape it you normally would any array passed to you through $_POST before insertion.
Related
I would like to add information to my clients, for example the number of actions they are entitled to perform
I read on another post that we can use the serialize() or json_encode() function to save the array in database
But why not save it directly in text format like this: ["view", "edit", "delete", "save"]?
With the json and serialize functions, how to add or delete data?
For example with json_encode, I have to make a data json_decode() and make an unset() or array_push() then json_encode()? Or is there a better way to do it?
I read on another post that we can use the serialize() or json_encode() function to save the array in database
That isn't entirely accurate. You can use those functions to convert the array to a string. You could then save the string in a database field.
This is Not A Good Idea™ as it means you can't sensibly search on the data in the array. You should make use of the relational nature of databases and set up a real (e.g. many-to-many) relationship.
But why not save it directly in text format like this: ["view", "edit", "delete", "save"]?
Because an array is not a text format (and if that is text, then that is the output that json_encode would give you).
With the json and serialize functions, how to add or delete data? For example with json_encode, I have to make a data json_decode() and make an unset() or array_push() then json_encode()?
Yes
Or is there a better way to do it?
See the earlier note about relationships.
I'm storing data in a MySQL database that may have some special characters. I'm wondering how to store it so that these characters are preserved if they're either output to HTML via PHP OR via JavaScript, e.g. createTextNode.
For example, the division symbol (÷) has the html code ÷, and when I store it as that it shows up fine when put directly into HTML by PHP, but when I pull it into JavaScript using $.getJSON and then insert it with createTextNode it shows up looking like ÷.
I also tried storing the symbol in the SQL directly, but my understanding is that the column would need to be changed from VARCHAR to NVARCHAR and that would cause a performance hit that doesn't seem necessary.
Given that I can modify the SQL, the PHP, or the JavaScript, is there an easy fix here? Maybe a way to unescape the HTML entity in JavaScript?
As answered by Yogesh, you should switch your collation of the DB to utf8_general_ci
So there's probably two things going on:
JSON escapes special characters.
Somewhere, something in your code flow is URL encoding the strings too.
So you just need to decode the string in your JavaScript, or you need to find what part of your code is URL encoding those strings and fix it.
I need to serialize array which contains URLs:
Array(
'url1' => 'http://www.example.com',
'url2' => 'http://www.example1.com'
)
and store it in DB.
When I serialize it standard way, it doesn't work as it contains special chars. I found solution to encode it with base64_encode . Then it works but string is unreadable from me in DB manager program. Is there a way to make this work without base64_decode ?
It should always set off a red flag when you're trying to store serialized data in a relational database. Normalize your schema so you don't have to serialize.
Storing your data in a poor format so it is readable while in the DB is not a good idea. You want to store it in a format that is the most efficient for database system, then update your manager to unserialize it when you are ready yo display.
json_encode is popular these days, and helps make your data portable.
If you're using PHP 5+, try using JSON instead of the native PHP serializer. JSON is a lot more portable.
But your problem could be with automatic escaping of quotes. It would be helpful if you can show examples of your input & output to/from the DB.
There's no reason why serialize shouldn't work on this example, so it may be more to do with adequate escaping of inputs in your SQL query rather than an issue with the kind of serialisation you're doing. If you're using MySQL, try running the serialised data through mysql_real_escape_string() before you concatenate it into your SQL statement.
Separately, I tend to prefer json_encode() for serialisation of values to a DB field, because serialise tends to make serialised data that is very hard to read manually, and extremely difficult to edit.
When encoding newline of textarea before storing into mysql using PHP with rawurlencode function encodes newline as %0D%0A.
For Example:
textarea text entered by user:
a
b
encoding using rawurlencode and store into database will store value as a%0D%0Ab
When retrieving from database and decoding using rawurldecode does not work and code gives error. How to overcome this situation and what is the best way to store and retrieve and display textarea values.
can you first encode this textarea string using base64_encode and then perform a base64_decode on the same, if the above does not work for you.
If the textarea does not contain URLs, you should rather use base64_encode then rawurlencode and then store as normal.
You simply should not use rawurlencode for escaping data for your database.
Each target format has it's own escaping method which in general terms makes sure it is stored/display/transferred safely from one place to another, and it doesn't need decoding at the other end.
For instance:
displaying text in HTML, use htmlentities or htmlspecialchars
storing in database, use mysqli_real_escape_string, pg_escape_string, etc...
transferring variablename, use urlencode
transferring variablecontent, use rawurlencode
etc...
You should notice that decoding these things is often done by the browser/database. So no data is actually stored escaped. And decoding doesn't need te be done by your code.
The problem is probably because you escape a sequence with rawurlencode, but your database expected the escaped format for the specific brand of database. And de-escaped it using that assumption, which was wrong, which messed up your string.
Conclusion: find out what brand database you are using, look up the specific escape function for that database, and use the proper escaping function on all your content "transferral".
P.S.: some definition may not be correct, please comment on that. I wanted to make the idea stick but am probably not using all the right terms.
First of all it is very uncommon to run textarea through urlencode()
urlencode was not designed for this purpose.
Second, if you still want to do this, then maybe the problem comes from database. First you need to tell us what database you using and what TYPE you using for storing this data: do you store it as TEXT or as BINARY data? Have you setup the correct charset in database?
I have some html code I want to store in a database. I need a way to encode it in php so all the special characters don't break the db INSERT (the html can include all sorts of spec chars) and then a way to unencode that at the other end in javascript once i've passed it via JSON so that the html is rendered correctly.
IS there any way I can do this?
Since you are using PHP:
For the database, use PDO: http://bobby-tables.com/php.html
And for the JSON, use the json methods: http://php.net/json
These handle all the escaping for you.
Regarding "not breaking the db INSERT," this should be a completely moot point. You should either be appropriately escaping all user-provided data (eg. mysqli_real_escape_string) or using binding.