I would like to ask you if it's necessary to use a mysql_real_escape_string() PHP function for data that I send into my DB in PHP ajax file if the data is encoded in my JS file using encodeURIComponent() function? thanks
Yes. encodeURIComponent encodes the characters so they aren't misinterpreted in the URL (in transport via HTTP); mysql_real_escape_string escapes the string so that it isn't misinterpreted in the MySQL query (inside the database).
In other words, each has a completely different function; not to mention that you have zero guarantee that the request at your PHP file is actually coming from your AJAX call.
Related
I'm attempting to send a string from client-side JavaScript to a back-end PHP script. The string contains special quotes like ’ and “.
When I look at the console in Chrome I can see that these are sent in the POST headers as they are. On the PHP side I then immediately json_encode() the $_POST array and send it back to see what its collected. The special characters now look like this \u2019. This is for testing please note I would normally sanitize all post data.
I wish to use UTF-8 but I'm not sure what I'm missing. My HTML includes:
<meta charset="utf-8">
My PHP server has UTF-8 set as its default charset.
If I start saving such data to the database I start ending up with strings like this: â for ’. However this is not a database issue the characters are already bad before going into the database. MySQL purely accentuates them.
Any ideas?
Update
I've noticed that if I return the string back to javascript without using json_encode() then it's in its original format with the special quotes (’ and “) still.
Have you tried:
utf8_decode()
On the server side for the variables you're passing? PHP is likely expecting iso-8859-1 rather than uft-8.
Turns out there was an issue both sides of the pond. The issue PHP side which this question regards was that the data was being sent to the back-end via a GET request (url encoded). I have changed this to a POST request.
This has allowed me to specify the UTF-8 charset when sending the headers for the POST request.
This is something I encounter often, and I usually end up resorting to the try and try again method until the data works. I figured SO would know what the best practice is in order to maintain the data and not mess up the json.
Let's assume the data I want to send is text data of the most annoying sort - special characters, &,<,", \n, \n\r, \t, +, etc.
Let's also assume I want to keep everything in utf8, and my mysql table is configured to be utf8. However, since PHP's utf8 support is lacking, this should be considered.
What encoding / escaping / htmlentities should I be doing from:
1) Sending JSON data from client JS to PHP via AJAX POST (anything different for GET?)
2) Decoding data in PHP and storing text string in mysql database (or store the escaped/encoded data? )
3) Retrieving data from MySQL DB in PHP and returned as JSON response to JS AJAX request
4) In a JSON response from our REST api
Whenever I use php/mysql/jquery to pass data back and forth, I end up using the following combination of encodings/escapings, and it seems to work well for me.
1) you don't need to do anything here, UNLESS you are sending a URL (I think this is only for GET requests) - but if you're sending a url you need to use encodeURIComponent(url), which will properly escape the &'s and special characters in the url (see more here).
2) Use mysqli and bound parameters, it will do all the escaping for you (read about it here)
3) I always use this when echoing data into an HTML file :
<?php
htmlspecialchars($string_to_escape, ENT_QUOTES, 'UTF-8', false);
?>
This will properly encode all special characters (the false is for "no double encoding"). Also make sure you the proper UTF-8 meta tags at the top of your html pages.
4) Using json_encode should always escape your data properly, but I would use the code from #3 just to make sure. But you'll probably only need it if you're returning data with special characters in it.
for sending json data to php you don't have to do anything special. JSON is just a serialized javascript 'variable'
use prepared statements! do not try to decode/strip/alter the content with php
use the appropriate functions to escape data for json (I don't know if there's a builtin php function for that)
same as 3.
I have a text field where where the user can pass wild cards - more specific to the question they can use '%' character.
I am using ajax to get the value and send it to a PHP file. If I enter '%BA' in the text file and retrieve the value using
document.getElementById('textfield').value
This actually gets '%BA'. I am using POST method to send it to a PHP file. But the variable displays as "�" in the web browser and inserts " ° - degree small o" in the database.
I am sure there are other cases that I am not aware of as well. Is there a function in PHP to escape the special characters or any other way to get the exact string?
Edit: This may be a guess but doing escape(document.getElementById('textfield').value) to send the value and using urldecode($values[3]) to retrieve the value doesn't work. Maybe it's a js to PHP problem.
Update: urldecode will not work. Read the first comment in urldecode. Used the function there. Solved.
while passing the value using ajax , you just encode the value with encodeURIComponent() function and use urldecode() function to decode it in the php file. This might solve the issue.
You could encode the characters with urlencode (and maybe htmlspecialchars too) before storing it in the database, and use urldecode ( and maybe htmlspecialchars_decode) to decode them before displaying to the user.
You can use escape in javascript i.e.
escape(document.getElementById('val'))
I need to encrypt a string using MySQL's AES_ENCRYPT function, then attach that encrypted string to the end of a URL, such that it can then be decrypted and used by a PHP script on the other end.
Basically, I am encrypting the string (using MySQL's AES_ENCRYPT), I am then using PHP's rawurlencode() function to make it "URL safe". I then pass the encrypted string in a URL, which is then retrieved by the PHP script on the other end where it gets successfully decrypted... about 95% of the time.
Seems as though about 5% of strings are encrypting in such a way that they are getting corrupted somewhere in the process, and can't be decoded on the other end after being passed by a URL. Can anyone help me out here? Is there a 100% fool-proof way to do this? I have also tried using urlencode() as well as base64_encode() in varying combinations.
Thanks.
Solved.
Once I have encrypted the string using MySQL's AES_ENCRYPT function, I use PHP's bin2hex() function to convert that encrypted data (which is in binary form) in to Hexidecimal. I then pass the Hexidecimal as a string on the end of the URL. Once the URL is received on the other end, I then use this custom PHP function to revert the Hex string back to binary:
function hex2bin($data) {
$len = strlen($data);
return pack("H" . $len, $data);
}
From there, all that's left to do is decrypt the data using MySQL's AES_DECRYPT function, and wha-la. The original string is successfully restored.
URLs have a finite maximum length. AES-encrypted strings do not.
URLs are not an appropriate vector for passing arbitrary information. Using an HTTP POST is a much better way, if you must communicate over HTTP.
About why you are having problems: quoting from the PHP manual page on urlencode:
Note: Be careful about variables that
may match HTML entities. Things like
&, © and £ are parsed by
the browser and the actual entity is
used instead of the desired variable
name. This is an obvious hassle that
the W3C has been telling people about
for years. The reference is here:
http://www.w3.org/TR/html4/appendix/notes.html#h-B.2.2.
PHP supports changing the argument
separator to the W3C-suggested
semi-colon through the arg_separator
.ini directive. Unfortunately most
user agents do not send form data in
this semi-colon separated format. A
more portable way around this is to
use & instead of & as the
separator. You don't need to change
PHP's arg_separator for this. Leave it
as &, but simply encode your URLs
using htmlentities() or
htmlspecialchars().
I'm having problems passing utf-8 strings to javascript (ajax). Currently i'm using rawurlencode on the PHP side and unescape on the javascript side.
The problem is in latin and rawurlencode doesn't support it fully.
Is there any alternative or any better option?
The solution was in json_encode functions. The problems stopped when i added JSON_HEX_APOS|JSON_HEX_QUOT.
Thanks!
use json_encode in PHP and receive responses as JSON (jQuery is helpful)
ajax is sent in utf-8 by default, so You just have to return utf-8
php's utf8_encode(data) gets an ISO-8859-1 string as the data argument.
need more suggestions? Tell me where You get the text from ;)
From experience, Javascript's escape() (ant thus unescape()) are not Unicode (UTF-8) friendly. Use encodeURIComponent() and decodeURIComponent() instead.
Anyway, as the docs says:
The escape() function should not be
used to encode URIs.
If php is doing the encoding and js decoding whay not simply not encode in php and encode in js as well? Not really an answer so much as a work around i guess.