Link to home
Start Free TrialLog in
Avatar of mamuscia
mamusciaFlag for United States of America

asked on

Escape and URLDecode for URL passed using Ajax call

I am using xmlhttp (Ajax) requests to call a PHP program from javascript using the GET method.

I am passing the PHP script a string as parameters which includes the characters %20.  For example, the current call to the PHP program looks like this:

phpparser.php?sqlstr=WHERE fieldname LIKE '%2007.03%' ORDER BY relid ASC

The %20 is cut off the param string when it reaches the PHP script, therefore messing up the MySQL query string I am passing.

I fooled around with escape and URLDecode, but how much of the URL needs to be escaped when using xmlhttp (Ajax) calls?  Should I use escape across the entire URL and then URLDecode in the receiving PHP script?

Thanks
Avatar of glcummins
glcummins
Flag of United States of America image
A BIG word of caution on this:  You are opening up your script to a huge security attack. If you allow an SQL query to be passed as-is to your script and then executed, you have no way of knowing what is in the query. A malicious attacker can wreak havoc on your database with this kind of method.

A better option, if you can, is simple to pass the search term and order by term separately, and reconstruct the SQL statement in the script:

phpparser.php?value1=2007.03&orderby=relid&orderdirection=ASC
Avatar of mamuscia
mamuscia
Flag of United States of America image

ASKER

I have many fields that the form displays to allow a user to enter to search the database.  In my PHP script I execute a SELECT so the user is constrained to reading the DB.  There is also a check to make sure the construct of the WHERE clause is correct.  How would I encode/decode this URL?
Avatar of Zvonko
Zvonko
Flag of North Macedonia image
You have to encode the query string paramter Values only.
Like this:
"phpparser.php?sqlstr="+escape("WHERE fieldname LIKE '%2007.03%' ORDER BY relid ASC")+"&some="+escape("more parametrs");

You see?
Encoding & and = of the query string is misleading like not encoding special characters in the parameter values.




ASKER CERTIFIED SOLUTION
Avatar of Zvonko
Zvonko
Flag of North Macedonia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mamuscia
mamuscia
Flag of United States of America image

ASKER

this works great, thanks!!
Avatar of Zvonko
Zvonko
Flag of North Macedonia image
You are welcome.