Ralph
asked on
Javascript to PHP via AJAX, HOW can I get a "%" to pass as parameter?
I'm using jQuery to get form values then building the SQL query's WHERE clause where I'm already handling the values.
Problem is, the % sign, whether escaped \, as %, or %25, is not making it into PHP.
If wireless_no=234, by the time it arrives in PHP it's wireless_no='34%' AND
Any suggestions?
Other than doing cleanup and prep in both languages? Which I certainly can do.
Problem is, the % sign, whether escaped \, as %, or %25, is not making it into PHP.
var wireless_no = $( "#wireless_no]" ).val().trim() ;
var php_params = "job=SearchUsing&FormName=form_TableSearch&tablename=ModemConfiguration&where_clause=" ;
var where_clause= "WHERE " ;
if (wireless_no != "") { where_clause = where_clause+"mc.wireless_no LIKE '%"+wireless_no+"%' AND " ; }
I check it while still in javascript and it's fine, but by the time I get to PHP it's hacked off in front.If wireless_no=234, by the time it arrives in PHP it's wireless_no='34%' AND
Any suggestions?
Other than doing cleanup and prep in both languages? Which I certainly can do.
And I must suggest to you that it is a BAD practice to build any SQL query text in the browser javascript, this will make it so easy for most anyone to do SQL injections on the server,
you MUST at all times take double measures to insure that SQL injection on the server from a web post CAN NOT HAPPEN, if you have ever had this happen you will regret not Taking the time and effort to prevent SQL injection.
you MUST at all times take double measures to insure that SQL injection on the server from a web post CAN NOT HAPPEN, if you have ever had this happen you will regret not Taking the time and effort to prevent SQL injection.
The percent sign has no special meaning, and goes through the request just fine. There may be something wrong in the PHP logic. You might want to see the request variables. You can use var_dump() to print them out.
And I'm 100% with @slick812 on this: Do not build a query in an external client and transmit it to your server for execution. The risk is that once someone sees your JavaScript they may decide to build a query and send it directly to your server.
And I'm 100% with @slick812 on this: Do not build a query in an external client and transmit it to your server for execution. The risk is that once someone sees your JavaScript they may decide to build a query and send it directly to your server.
The percent sign has no special meaning, and goes through the request just fine.I have to disagree with you. If the '%' in the string creates a valid 'percent encoded' value, then it will have special meaning. The most common example is '%20' which will be translated to a ' ' (space) character. Slick812 is correct about using JS encodeURIComponent( ) . HTML forms encode the 'values' (but not the names) when form data is transmitted. You can easily see this if you use method="get" on a simple form.
https://en.wikipedia.org/wiki/Percent-encoding
ASKER
Thank you both for the wise words of caution.
This will always live entirely behind a corporate firewall and used by only one person. Never non-corporate access.
Your concerns are noted and I will not do this kind of SQL access in javascript again.
Slick812, I don't follow this. Can you please elaborate so I can follow?
However in JQUERY it has mechanisms that automatically parse URL post and get addys, but you have to properly place the strings in their methods, usually in an object like -
{job:"SearchUsing", FormName: "form_TableSearch", tablename: "ModemConfiguration",
where_clause: "WHERE mc.wireless_no LIKE '%"+wireless_no+"%' AND "}
I've used php_params constructed this way (never anything SQL-ish) from PHP to JS 20+ times before and everything has made it to PHP just fine through AJAX.
Showing environment in addition to first post (See image captions for clarity.):
Please see the PHP Capture.png then the DebugCapture
Sorry for the roundabout way to get the mouse-over data content in the attached image.
If I encodeURIComponent in JS, do I use urldecode in PHP? I'll give it a try.
Thank you both!
PHP-Capture.PNG
DebugCapture.pdf
This will always live entirely behind a corporate firewall and used by only one person. Never non-corporate access.
Your concerns are noted and I will not do this kind of SQL access in javascript again.
Slick812, I don't follow this. Can you please elaborate so I can follow?
However in JQUERY it has mechanisms that automatically parse URL post and get addys, but you have to properly place the strings in their methods, usually in an object like -
{job:"SearchUsing", FormName: "form_TableSearch", tablename: "ModemConfiguration",
where_clause: "WHERE mc.wireless_no LIKE '%"+wireless_no+"%' AND "}
I've used php_params constructed this way (never anything SQL-ish) from PHP to JS 20+ times before and everything has made it to PHP just fine through AJAX.
Showing environment in addition to first post (See image captions for clarity.):
Please see the PHP Capture.png then the DebugCapture
Sorry for the roundabout way to get the mouse-over data content in the attached image.
If I encodeURIComponent in JS, do I use urldecode in PHP? I'll give it a try.
Thank you both!
PHP-Capture.PNG
DebugCapture.pdf
If I encodeURIComponent in JS, do I use urldecode in PHP?If you are sending the data to a PHP page from JavaScript, it is normally automatically decoded. You only need to use 'urldecode in PHP' if you are creating a link with a query string.
ASKER
Hmmm.
What I had before attach-file failed:
Better SNIP this time. Again, I've put echo-s in PHP to get a look at the data while in JS.
I'm using encodeURIComponent in JS now and urldecode in PHP and I get these results.
Better-Snip.PNG
What I had before attach-file failed:
Better SNIP this time. Again, I've put echo-s in PHP to get a look at the data while in JS.
I'm using encodeURIComponent in JS now and urldecode in PHP and I get these results.
Better-Snip.PNG
ASKER
Of course I can cheat and do a bait-n-switch with a different character...
Not a way to learn or solve a problem rightly though.
Not a way to learn or solve a problem rightly though.
%32 = '2' when decoded. You need to encodeURIComponent '%324%' which then becomes '%25324%25' because the '%' symbols are encoded.
ASKER
Very odd. "%" is an unwanted character!
Using encodeURIComponent in JS now and urldecode in PHP.
When I use %, jQuery into a DIV before AJAX shows:
use).</pre >"; I get:
When I use #, jQuery into a DIV before AJAX shows (NO other changes other then to xlate # to % in PHP):
use).</pre >"; I get:
And the sky is blue!
Can I still be confused?
Using encodeURIComponent in JS now and urldecode in PHP.
When I use %, jQuery into a DIV before AJAX shows:
job=SearchUsing&FormName=form_TableSearch&tablename=ModemConfiguration&where_clause=WHERE%20mc.wireless_no%20LIKE%20'%25324%25'
which looks good, however in PHP, uncommenting my echo "<pre>".vardump($where_clastring(32) " WHERE mc.wireless_no LIKE '24%'"
When I use #, jQuery into a DIV before AJAX shows (NO other changes other then to xlate # to % in PHP):
job=SearchUsing&FormName=form_TableSearch&tablename=ModemConfiguration&where_clause=WHERE%20mc.wireless_no%20LIKE%20'%23324%23'
which looks great! Back in PHP, uncommenting my echo "<pre>".vardump($where_clastring(34) " WHERE mc.wireless_no LIKE '%324%'"
And the sky is blue!
Can I still be confused?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks thanks thanks!
No "#" conversion, just "%"s!
I'll commit the decoding done in web server/before browser to memory.
-- -- --
For further educational enlightenment, for security, not complete by any means, but "always keep anything SQL out of JS and just pass values"?
No "#" conversion, just "%"s!
I'll commit the decoding done in web server/before browser to memory.
-- -- --
For further educational enlightenment, for security, not complete by any means, but "always keep anything SQL out of JS and just pass values"?
For further educational enlightenment, for security, not complete by any means, but "always keep anything SQL out of JS and just pass values"?Yes. It has never occurred to me to pass SQL in a query string or even a POST string. Just values.
ASKER
Educational, persistent, collaborative, complete!
I was busy, so this is late, but just to show some URL conversions, this is the test inputs in a Form
<input name="bumper" type="text" value="OK? Fran&Brad=happy 100%" />
<input name="fender" type="text" value="joker! is > 1/2 sure, * to lander" />
and in the url as -
echo 'this is BUMPER - '.$_GET["bumper"].'<br />this is FENDER - '.$_GET["fender"].'<hr>';
this is BUMPER - OK? Fran&Brad=happy 100%
this is FENDER - joker! is > 1/2 sure, * to lander
for reasons I do not know it does not change the ! or the >
it is the convention now to have all spaces as a + and not a %20
<input name="bumper" type="text" value="OK? Fran&Brad=happy 100%" />
<input name="fender" type="text" value="joker! is > 1/2 sure, * to lander" />
and in the url as -
?bumper=OK%3F+Fran%26Brad%3Dhappy+100%25&fender=joker!+is+>+1%2F2+sure%2C+*+to+lander&up
and the text from the PHPecho 'this is BUMPER - '.$_GET["bumper"].'<br />this is FENDER - '.$_GET["fender"].'<hr>';
this is BUMPER - OK? Fran&Brad=happy 100%
this is FENDER - joker! is > 1/2 sure, * to lander
for reasons I do not know it does not change the ! or the >
it is the convention now to have all spaces as a + and not a %20
it is the convention now to have all spaces as a + and not a %20I believe '+' is the original way and both are recognized as space.
Go to this URL:
http://iconoun.com/demo/ajax_client.php
Enter this in the input box:
Ray%20Baldwin
Like many things in application programming, assumptions abound and there are several layers of "truth" that need to be considered before an application is deployed into the wild!
http://iconoun.com/demo/ajax_client.php
Enter this in the input box:
Ray%20Baldwin
Like many things in application programming, assumptions abound and there are several layers of "truth" that need to be considered before an application is deployed into the wild!
Ray, I modified your page to include a form. You can exercise this thru the submit button for the form or by clicking on your text. It is interesting the differences you get.
<!DOCTYPE html>
<html dir="ltr" lang="en-US">
<head>
<meta charset="utf-8" />
<title>Percent Encoding Using HTML Form</title>
<script type="text/javascript" src="http://code.jquery.com/jquery-latest.min.js"></script>
<script>
$(document).ready(function(){
$("#signal").click(function(){
indata = $("#xinput").val();
$.post("ajax_server.php", {myArg:indata}, function(response){
$("#output p#target").html(response);
});
});
});
</script>
</head>
<body>
<form action="ajax_server.php" method="get">
<input name="xinput" id="xinput" value="Enter your name here" />
<input type="submit" name="submit" value="Submit" />
</form>
<div id="signal">This is not a link, but Click Me Anyway!</div>
<div id="output">
<p id="static">This element remains unchanged</p>
<p id="target">This element gets the AJAX response</p>
</div>
</body>
</html>
var send2='img1=33&folder='+en
However in JQUERY it has mechanisms that automatically parse URL post and get addys, but you have to properly place the strings in their methods, usually in an object like -
{job:"SearchUsing", FormName: "form_TableSearch", tablename: "ModemConfiguration",
where_clause: "WHERE mc.wireless_no LIKE '%"+wireless_no+"%' AND "}