i need to store s tring like this, AS IS in mysql
member of the ruling <a href="/tets/Polish_United_Workers%27_Party"
but in mysql the %27 is concerted to ' char
how can i keep the sql respecting exactly the string as is?
UPDATE:
I send the text
var string = 'member of the ruling <a href="/tets/Polish_United_Workers%27_Party"'
from javascript to php (maybe the problem is here?)
$.ajax({
url: myurl,
async:false,
data: "text="+string,
type: "POST",
success: function( data ) {....etc...
parte of the sql query on the php file receiving the js call
text = addslashes($_POST["text"])
use
data: {text:string}
instead and let jquery handle the encoding for you. when you insert it to your DB you can call mysql_real_escape_string on it before inserting it so that you're not vulnerable to SQL injection and everything gets escaped properly, or use a more modern database abstraction layer (PDO).
my bad, i overlooked it and YEs the solution was to add escape(string) before submitting to php
arrrhggg
Related
PHP version is 5.6.2
When sending a JS-object, why do strings end up escaped in PHP?
Here is my JS-code:
$.ajax({
url: url,
type: 'POST',
data: {obj: obj},
success: function(data) {},
error: function(req, status, error){},
timeout: 20000
});
All st'rin'gs end up like st\'rin\'gs in PHP. Of course I can stripslashes but what's the proper way of doing this?
Solution for everybody in the same situation, who checked and debugged and still can't find a solution: If you're using Wordpress, that's the cause. WP escapes all $_POST-variables automatically and since this AJAX was posted against wp_ajax.php, it was escaped.
I took the easy way out and did:
stripslashes_deep($_POST['obj'])
You must check your magic quotes configurations first and do proper changes, please consider reading this post: Why are $_POST variables getting escaped in PHP?
I have a search field where users paste URLs (url is the search query). Most urls work fine, but urls with escaped characters are getting 'unescaped'. For example :
When I copy some url from Chrome browser I get escaped url:
url = input query : 'http://website.com/search/my%20query'
echo $_POST['q'] ~ result is 'http://website.com/search/my query'
The query is submitted by $.ajax :
var qurl = $("#url input[name=q]").val();
var queryString = "q="+qurl;
$.ajax({
url : "script.php",
type: "POST",
data: queryString,
.....
How can I receive the query with the escaped characters ?
Should I bother and process(escape the query of my query) the query url myself?
Magic quotes you are off:
php.ini
magic_quotes_gpc=Off
magic_quotes_runtime=Off
magic_quotes_sybase=Off
Your question is a bit short on detail so, unfortunately, there is a fair bit of speculation in this answer:
The % in %20 should be encoded as %25 (giving %2520) when the data is submitted.
PHP will then decode it to give you %20 in $_POST.
I've never heard of PHP double decoding the data before. So it sounds like the problem is that whatever is making the request is failing to encode the data. This is most likely caused by not using a regular form to submit it and using JavaScript instead.
The solution therefore, is to encode it properly in the JavaScript.
For example:
data = "query=" + encodeURIComponent( document.getElementById('myInput').value );
Update in response to JavaScript being added to the question:
var qurl = $("#url input[name=q]").val();
var queryString = "q="+qurl;
My earlier speculation is confirmed. You haven't encoded the data into the correct format for a query string. Since you are using jQuery.ajax, you can use that to handle your encoding (by passing it an object of data) instead of building the query string manually (and then passing a string):
$.ajax({
url : "script.php",
type: "POST",
data: {
q: $("#url input[name=q]").val()
},
I have a window on my site where the visitors can change them password.
The problem is that the & character is never taken :
If I put those two new passwords :
stack&
stack& (the second is the confirmation)
The insertion in the BD is stack (without the &).
This is the js code :
data: 'nouveau_mdp=' + $('input#champ_nouveau_mdp').val(),
the alert shwos me "stack&"
In PHP, a var_dump of $_POST gives me :
stack (without the &).
Is & a reserved word for jquery ?
This is my js code :
$.ajax({
type: 'POST',
url: 'modification_mdp.php',
data: 'nouveau_mdp=' + $('input#champ_nouveau_mdp').val(),
dataType: 'text',
success: function(reponse) {
reponse = $.trim(reponse);
Have you an idea to reselove this problem please ?
Thanks in advance.
Encode the field value
data: 'nouveau_mdp=' + encodeURI($('input#champ_nouveau_mdp').val()),
by this way & is encoded with the ascii number.
Try passing an associative array, which jQuery will encode for you:
data: { nouveau_mdp: $('input#champ_nouveau_mdp').val() }
You'll need to change the PHP code that receives this value to match (it gets an array rather than a string).
The ampersand character is not allowed to pass by Get method or by Post method in PHP. As the usual syntax to access the PHP by GET method is ines.php?user=username&password=mypassword,
the '&' character separates the two Variables.
That is why it is does not take '&' from 'Stack&' You may use Javascript to Validate if & is not entered in the text Box. Use JavaScript to encode the varaible... No decoding is required at the PHP end
encodeURIComponent("stack&")
This line is the problem:
data: 'nouveau_mdp=' + $('input#champ_nouveau_mdp').val(),
The & character has a special meaning in HTTP. If you had multiple parameters they would be separated by & e.g. nouveau_mdp=mynewpassword&old_mdp=myoldpassword
What you need to do is encode characters such as &, = etc as their hex equivalents i.e. %26 and %3D respectively.
In JavaScript you can do this with the encodeURI() function.
Though, as mentioned in the other answer, jQuery also allows you to pass a JSON dictionary of parameters, and it will do the encoding for you.
i am generating a json string using JSON.stringify and my json string will be like
jsonstring=[{"step1":[{"nm":"John & joe"},{"title":"Hello & hai"}]},{"step2":[{"desc":"1234"},{"usr":"abc#xyz.com"}]}]`
i am escaping & with \& and sending this json string to server through ajax.
$.ajax({
url:"test-usr-data.php",
type:"post",
data:"usrdata="+jsonstring,
success: function(response){
console.log("data is "+response);
},
complete:function (jqXHR, textStatus){
console.log("ajax Request completed"+textStatus);
}
});
The problem is with & char in json string, even though i am escaping & to \& data is not posted to server but ajax request status is success.
I tried removing & from json string it works fine and data is posting to server correctly.
Can any one help me in correct way to escaping & in json string.
Who told you that escaping in URL's works by prepending a backslash?
jQuery will take care of it, just do
data: {usrdata: jsonstring},
FYI: You could use encodeURIComponent as well
data: "usrdata=" + encodeURIComponent(jsonstring),
The way to URI encode a & is as %26, given that 0x26 (38) is the ASCII code for that character.
But don't, use the data: { key: value, ... } way of passing parameters to $.ajax instead, and have jQuery do it all for you.
I am having trouble with the simplest of tasks.
The html page has a single textarea tag that sends the data to a php file using $.get() with jquery
From there I use a variety of methods from htmlspecialchars to addslashes.
But nothing seems to work the way it should, either throwing off an error because a single \ was left behind or not preserving newlines.
How can I pass a textarea's value to a php file, make it injection proof and json compatible.
So that when I access it with mysql and format it using $.formatJSON(). It works without any issues and preserves all the new line characters?
//php
$result = htmlspecialchars($_GET["message"]);
mysql_query("INSERT INTO table (message) VALUES ($result)");
//jquery
$.ajax({
url:("http://websitename.com/post.php?message=" + message + "&callback=?"),
dataType: 'JSONP',
success:function(json){
callback($.parseJSON(json));
},
error:function(){
},
});
The recommended practice nowadays is to use prepared statements. This way SQL injections are out of the question. If this proves to be too slow after profiling the code, you should resort to using mysql_(real_)escape_string.
As another step of security you can install an Intrusion Detection System like PHPIDS to add another security layer.
Don't use addslashes or similar, they are not meant for escaping user input for SQL queries.
Also in your case you should not pass the textarea contents via GET but rather via POST as described in the jQuery documentation. Furthermore, the dataType should be 'json' and you don't need to parse it afterwards. An example for getting JSON from PHP in jQuery is given here.
Before using a value in a MySQL query, use mysql_real_escape_string. In addition, you should put single quotes around $result in ($result).