Solved

Escape and URLDecode for URL passed using Ajax call

Posted on 2007-04-03
6
452 Views
Last Modified: 2008-02-01
I am using xmlhttp (Ajax) requests to call a PHP program from javascript using the GET method.

I am passing the PHP script a string as parameters which includes the characters %20.  For example, the current call to the PHP program looks like this:

phpparser.php?sqlstr=WHERE fieldname LIKE '%2007.03%' ORDER BY relid ASC

The %20 is cut off the param string when it reaches the PHP script, therefore messing up the MySQL query string I am passing.

I fooled around with escape and URLDecode, but how much of the URL needs to be escaped when using xmlhttp (Ajax) calls?  Should I use escape across the entire URL and then URLDecode in the receiving PHP script?

Thanks
0
Comment
Question by:mamuscia
  • 3
  • 2
6 Comments
 
LVL 24

Expert Comment

by:glcummins
Comment Utility
A BIG word of caution on this:  You are opening up your script to a huge security attack. If you allow an SQL query to be passed as-is to your script and then executed, you have no way of knowing what is in the query. A malicious attacker can wreak havoc on your database with this kind of method.

A better option, if you can, is simple to pass the search term and order by term separately, and reconstruct the SQL statement in the script:

phpparser.php?value1=2007.03&orderby=relid&orderdirection=ASC
0
 

Author Comment

by:mamuscia
Comment Utility
I have many fields that the form displays to allow a user to enter to search the database.  In my PHP script I execute a SELECT so the user is constrained to reading the DB.  There is also a check to make sure the construct of the WHERE clause is correct.  How would I encode/decode this URL?
0
 
LVL 63

Expert Comment

by:Zvonko
Comment Utility
You have to encode the query string paramter Values only.
Like this:
"phpparser.php?sqlstr="+escape("WHERE fieldname LIKE '%2007.03%' ORDER BY relid ASC")+"&some="+escape("more parametrs");

You see?
Encoding & and = of the query string is misleading like not encoding special characters in the parameter values.




0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 63

Accepted Solution

by:
Zvonko earned 250 total points
Comment Utility
Oh, and for decode you have not to care. That does PHP for you.

0
 

Author Comment

by:mamuscia
Comment Utility
this works great, thanks!!
0
 
LVL 63

Expert Comment

by:Zvonko
Comment Utility
You are welcome.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn the basics of jQuery, including how to invoke it on a web page. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery.: (CODE)

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now