Escape and URLDecode for URL passed using Ajax call

Posted on 2007-04-03
Medium Priority
Last Modified: 2008-02-01
I am using xmlhttp (Ajax) requests to call a PHP program from javascript using the GET method.

I am passing the PHP script a string as parameters which includes the characters %20.  For example, the current call to the PHP program looks like this:

phpparser.php?sqlstr=WHERE fieldname LIKE '%2007.03%' ORDER BY relid ASC

The %20 is cut off the param string when it reaches the PHP script, therefore messing up the MySQL query string I am passing.

I fooled around with escape and URLDecode, but how much of the URL needs to be escaped when using xmlhttp (Ajax) calls?  Should I use escape across the entire URL and then URLDecode in the receiving PHP script?

Question by:mamuscia
  • 3
  • 2
LVL 24

Expert Comment

ID: 18845832
A BIG word of caution on this:  You are opening up your script to a huge security attack. If you allow an SQL query to be passed as-is to your script and then executed, you have no way of knowing what is in the query. A malicious attacker can wreak havoc on your database with this kind of method.

A better option, if you can, is simple to pass the search term and order by term separately, and reconstruct the SQL statement in the script:


Author Comment

ID: 18846022
I have many fields that the form displays to allow a user to enter to search the database.  In my PHP script I execute a SELECT so the user is constrained to reading the DB.  There is also a check to make sure the construct of the WHERE clause is correct.  How would I encode/decode this URL?
LVL 63

Expert Comment

ID: 18847181
You have to encode the query string paramter Values only.
Like this:
"phpparser.php?sqlstr="+escape("WHERE fieldname LIKE '%2007.03%' ORDER BY relid ASC")+"&some="+escape("more parametrs");

You see?
Encoding & and = of the query string is misleading like not encoding special characters in the parameter values.

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

LVL 63

Accepted Solution

Zvonko earned 1000 total points
ID: 18847189
Oh, and for decode you have not to care. That does PHP for you.


Author Comment

ID: 18847203
this works great, thanks!!
LVL 63

Expert Comment

ID: 18847252
You are welcome.

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
AngularJS web development a very simple procedure. So, to put it, in short, AngularJS’ stand out features are – Two-way data binding, MVC structure, directives, templates, dependency injections and testing.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

627 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question