[RESOLVED] MySQL/PHP/Ajax query... error

listenmirndt

So I am not sure if the issue is PHP or Javascript, I am using this JS code:

var postvar= encodeURI(document.getElementById('<?php echo $link; ?>').value);

http.open('get','ajquery.php?postvar='+postnew+'&nocache = '+nocache+'&field='+'<?php echo $link; ?>'+'&page='+'<?php echo $_GET[page]; ?>'+'&id='+'<?php echo $_GET[id]; ?>'+'&theme='+'<?php echo $rowxxx[THEME]; ?>'+'&table='+'<?php echo $ajaxtable; ?>'+'&q1='+'<?php echo $q1; ?>'+'&q2='+'<?php echo $q2; ?>');

http.onreadystatechange = insertReply<?php echo $link; ?>;
http.send(null);

which puts the contents of my form field into the $_GET[postvar]

then my PHP of ajquery.php is:

$sql    = "UPDATE $table SET
$field  = '$_GET[postvar]' WHERE $q1 = '$q2'";
$query  = mysql_query($sql) or die(mysql_error());

now this all works fine... UNless, someone types a # symbol into the text field... that seems to break the MySQL query...

I have tried htmlentities on the $_GET[postvar] but that didn't seem to help, which makes me think it was an issue in the JS query string, but that's already using encodeURI...

so I am confused what the issue could be with the # symbol breaking the query...

Krik

Wow, you're trying to cause yourself some real trouble. Always sanitize user input. Never, never use the "$GET" or "$POST directly in a query. What if the user were to type in a query string that made a call to a table with sensitive data or just did a "truncate" on that table, it could wipe out your data.

You will want to look into [man]mysql_real_escape_string[/man] it will solve the your problem, as well as avert a potential injection attack.

listenmirndt

so would i...

$GET[postvar] = mysql_real_escape_string($GET[postvar]);

to sanitize first?

i am trying this and still getting a mysql error when using a # symbol...

Krik

You can not set the $GET or $POST superglobals in php.

$postvar = mysql_real_escape_string($_GET['postvar']);

listenmirndt

thanks for the reply,
but

$postvar = mysql_real_escape_string($_GET['postvar']);

returns the same error

listenmirndt

I am trying to handle this $_POST data,

{\"primary\":{\"type\":\"editable\",\"value\":\"CONTENT HERE\",\"snippets\":{}}}

I think it's a JSON decode job, but I am not very familiar with this,

was wondering if someone could show a code example of how to get the content out of this? in particular, the value that holds CONTENT HERE

thanks!

Krik

Hmm, odd it maybe something else in our code.

I was about to suggest using [man]strtr[/man] or [man]preg_replace[/man] and replacing it with its ASCII code, but I just realized the ASCII coodes use the "#".

$postvar = strtr($_GET['postvar'], '#', '#');

Seeing that now makes me think something else is the issue. Have you tried echoing the $_GET['postvar']. And seeing what characters are in it. You mentioned that you were doing a encodeURI which could be placing problematic characters into the string.

Also are you getting any error messages. To find these you would need to be using something like Firebug and then check the Console messages. Otherwise run the "ajquery.php" file directly form the browser just placing the get values in the URL.

Krik

I think it's a JSON decode job, but I am not very familiar with this,

You shouldn't need to to do a json decode unless you first did a json encode in you javascript

But just in case php has a built in decoder [man]json_decode[/man]

listenmirndt

thanks again for the help,

starting with:

.head {
width: 950px;
display:inline-block;
text-align: left;
margin-top: 10px;
margin-bottom: 10px;
}

so $_GET[postvar] returns:

.head { width: 950px; display:inline-block; text-align: left; margin-top: 10px; margin-bottom: 10px; }

then if I do this:

.head {
width: 950px;
display:inline-block;
text-align: left;
margin-top: 10px;
#
margin-bottom: 10px;
}

so $_GET[postvar] returns:
.head { width: 950px; display:inline-block; text-align: left; margin-top: 10px;

basically it seems to stop the string as soon as it finds a # symbol.....

Krik

If it is just getting cut off without any errors I would lean towards maybe browsers interpret the # in special way when its in a URL (GET). Try using POST.

If POST doesn't work there is definitely something else the matter. I send # and all sorts of special characters via AJAX POST and have never had an issue.

I guess you could also have javascript search for any # and replace them with a custom token. Maybe something like "[&35]" then have php find that and switch it to the #.

johanafm

Edit: Hmm, where did the entire thread go? Or have I posted in the wrong thread?

Edit: Since this seems to be a cross post, I suppose it doesn't matter. But perhaps someone could merge this with http://www.phpbuilder.com/board/showthread.php?t=10382976

MOD EDIT: Cross posted indeed - threads merged.

listenmirndt;10994830 wrote:

'&q1='+'<?php echo $q1; ?>'+'&q2='+'<?php echo $q2; ?>'

"WHERE $q1 = '$q2'";

This is not good. If you let both q1 and q2 come from the browser, you must make certain that they are what you expect. It doens't matter if you actually set them to fixed values in your javascript, since there is no guarantee that a user is actually using your clientside code. They might just as well forge their own request, and if they set q1 and q2 to 1, then you get

WHERE 1='1'

which evaluates to true. Thus you'd update all rows in table. Also, $q1 should be checked against a group of ok identifiers to use. For example

$where_idents = array('field1' => 'int', 'field3' => 'string');
if (!in_array($q1, $where_idents))
{
	$where = '';
}
else
{
	if ($where_idents[$q1] == 'string')
	{
		$where = " WHERE $q1 = '" . mysql_real_escape_string($q2). "'"
	}
	elseif ($where_idents[$q] == 'int')
	{
		$where = " WHERE $q1 = " . (int)*$q2;
	}
}
$query = mysql_query($sql . $where);

Krik;10994838 wrote:
You can not set the $GET or $POST superglobals in php.

Actually, you can, although I wouldn't recommend it. Leaving them as is upon request means you will never risk using them later on while believing they have been sanitized when in fact they have not. Also, you may sometimes wish them first escaped in one way, say for a mysql query, and then in another, say for a html document.

listenmirndt;10994830 wrote:
So I am not sure if the issue is PHP or Javascript, I am using this JS code:
http.open('get'

Notice that you are doing a GET and not a POST request.

Thus, to see what the requested URI querystring looks like

alert('postvar='+postnew+'&nocache = '+nocache+'&field='+'<?php echo $link; ?>'+'&page='+'<?php echo $_GET[page]; ?>'+'&id='+'<?php echo $_GET[id]; ?>'+'&theme='+'<?php echo $rowxxx[THEME]; ?>'+'&table='+'<?php echo $ajaxtable; ?>'+'&q1='+'<?php echo $q1; ?>'+'&q2='+'<?php echo $q2; ?>');

Since I don't know what data goes where, I can't be certain, but I'd bet that the CSS code you posted is put into the query string without being properly escaped, thus giving you something like

http://example.com?var=123#this_is_a_fragment_identifier_and_not_part_of_the_query_string

Do note that the fragment identifier isn't sent to the server. It's used to locate an element and scroll it into view, which in HTML 5 means:
the first element whose id equals the fragment identifier
or failing that the first element whose name equals the fragment identifier

bradgrafelman

Krik;10994838 wrote:
You can not set the $GET or $POST superglobals in php.

Why can't you? In fact, you most certainly can...

<?php

$_GET['foo'] = 'bar';

print_r($_GET);

works just fine.

Now, I agree that you shouldn't overwrite the value in those variables, except in the case where you're trying to do something useful like reverse the damage done by magic_quotes_gpc.

Otherwise, if you overwrite the value in the superglobal then you destroy data integrity and lose the original data. That can lead to funny output like:

Welcome to our site, Mr. O\'Donnell!

Krik;10994854 wrote:
If it is just getting cut off without any errors I would lean towards maybe browsers interpret the # in special way when its in a URL (GET).

Well of course they do - that's how you target a named anchor (or an element id value) on a page.

@: You should be encoding the data before placing it into a query string, otherwise things like spaces or special characters is going to make your URL invalid. For example, take a look at Javascript's encodeURIComponent() function.

EDIT: Also, please do not cross-post the same post across multiple forums. Not only is it considered rude by standard netiquette conventions, but it also leads to fragmented discussions (such as the duplication between johanafm's post and my own).

listenmirndt

thanks for the help everyone!

just a quick note @

the cross-post was actually intended as a new post, that i accidentally replied to in this thread instead of posting new (first) (tho it then got merged) but it is a separate issue, thanks!

listenmirndt

encodeURIComponent did the trick!