转义 urldecode 转义混淆
我有一个 TinyMCE 编辑器 - 其内容需要通过 AJAX 上传。
显然,由于 AJAX 发送参数,它们需要通过 javascripts escape() 函数进行转义,这样就不会破坏 AJAX 参数。这些字段是在 PHP 端进行 mysql_real_escape_string 编辑的,我只需要对 AJAX 参数进行转义。
不幸的是,当我将链接和图像添加到编辑器然后提交时,图像和链接的 URL 如下所示:
http://localhost:8888/%22../img/miscimages/hwo-american.gif/%22
在向用户显示内容的页面(产品视图页面)上,数据库中的字符串是运行urldecode()以消除所有%22和其他转义字符。此页面上没有 javascript,全部由 PHP 生成,因此使用 urldecode() 而不是 unescape()。有什么办法解决这个问题吗?
代码:
AJAX发送
function update(){
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}else{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
var response = xmlhttp.responseText;
alert(response);
window.location = 'admin-products.php';
}
}
var prodID=document.getElementById("editchoice").value;
var edittitle=escape(document.getElementById("editname").value);
var editcategory=document.getElementById("editcat").value;
var editcontent = escape(tinyMCE.get('editcontent').getContent());
var parameters= "prodID="+prodID+"&title="+edittitle+"&content="+editcontent+"&cat="+editcategory;
xmlhttp.open("POST", "../scr/editProduct.php", true);
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlhttp.send(parameters);
}
PHP数据库插入
$prodID = $_POST['prodID'];
$title = urldecode(mysql_escape_string($_POST['title']));
$content = urldecode(mysql_escape_string($_POST['content']));
$category = $_POST['cat'];
echo $prodID . $title . $content . $category;
mysql_query("UPDATE product SET title='$title', content='$content', category_id='$category' WHERE id='$prodID'") or die("ERROR: ".mysql_error());
PHP显示在页面上
/* Get Product from Alias */
$alias = $_GET['name'];
$product_selectProd = mysql_query("SELECT * FROM product WHERE alias='$alias'") or die("ERROR: ". mysql_error());
/* Sort Query Vars */
while($product_arrayProd = mysql_fetch_array($product_selectProd)){
$product_category = $product_arrayProd['category_id'];
$product_title = urldecode($product_arrayProd['title']);
$product_text = urldecode($product_arrayProd['content']);
$product_image = $product_arrayProd['main_image'];
$product_sub_image = $product_arrayProd['sub_image'];
/* Build the Product List */
$productDetail .= "<img src='$product_image' width='350' height='240' class='prod_image_left' /><img src='$category_image' width='350' height='240' class='prod_image_right' />";
$productDetail .= "<p> </p><h1>Fiddes $product_title</h1><hr />";
$productDetail .= "$product_text";
}
I've got a TinyMCE editor - the contents of which need to be uploaded by AJAX.
Obviously because of the AJAX sending the parameters, they need to be escaped via javascripts escape() function, this is so it doesn't break the AJAX parameters. The fields are mysql_real_escape_string'ed at the PHP side, I only need the escape for the AJAX parameters.
Unfortunately, when I add links and images into the editor and then submit, the URLs to the images and links appear like this:
http://localhost:8888/%22../img/miscimages/hwo-american.gif/%22
On the page where the contents are displayed to the user (the product view page), the string from the database is run through urldecode() to get rid of all the %22 and other escaped characters. There is no javascript on this page, it's all generated with PHP, hence the urldecode() and not unescape(). Is there any way around this?
CODE:
AJAX Send
function update(){
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}else{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
var response = xmlhttp.responseText;
alert(response);
window.location = 'admin-products.php';
}
}
var prodID=document.getElementById("editchoice").value;
var edittitle=escape(document.getElementById("editname").value);
var editcategory=document.getElementById("editcat").value;
var editcontent = escape(tinyMCE.get('editcontent').getContent());
var parameters= "prodID="+prodID+"&title="+edittitle+"&content="+editcontent+"&cat="+editcategory;
xmlhttp.open("POST", "../scr/editProduct.php", true);
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlhttp.send(parameters);
}
PHP Database Insert
$prodID = $_POST['prodID'];
$title = urldecode(mysql_escape_string($_POST['title']));
$content = urldecode(mysql_escape_string($_POST['content']));
$category = $_POST['cat'];
echo $prodID . $title . $content . $category;
mysql_query("UPDATE product SET title='$title', content='$content', category_id='$category' WHERE id='$prodID'") or die("ERROR: ".mysql_error());
PHP Display on Page
/* Get Product from Alias */
$alias = $_GET['name'];
$product_selectProd = mysql_query("SELECT * FROM product WHERE alias='$alias'") or die("ERROR: ". mysql_error());
/* Sort Query Vars */
while($product_arrayProd = mysql_fetch_array($product_selectProd)){
$product_category = $product_arrayProd['category_id'];
$product_title = urldecode($product_arrayProd['title']);
$product_text = urldecode($product_arrayProd['content']);
$product_image = $product_arrayProd['main_image'];
$product_sub_image = $product_arrayProd['sub_image'];
/* Build the Product List */
$productDetail .= "<img src='$product_image' width='350' height='240' class='prod_image_left' /><img src='$category_image' width='350' height='240' class='prod_image_right' />";
$productDetail .= "<p> </p><h1>Fiddes $product_title</h1><hr />";
$productDetail .= "$product_text";
}
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
来自 MDC: https://developer.mozilla.org/en/Core_JavaScript_1.5_Guide/函数#escape_and_unescape_Functions
所以不要使用转义,它已被弃用:)
From MDC: https://developer.mozilla.org/en/Core_JavaScript_1.5_Guide/Functions#escape_and_unescape_Functions
So don't use escape, it's deprecated :)
只是关于数据库插入的注释。
您不应该使用 urldecode 进行数据库插入。 urlancodes 与数据库无关。对于插入,仅应使用与数据库相关的函数。
在其他地方执行此操作,而不是在将数据插入数据库时执行此操作。 mysql_real_escape_string 应该是插入之前应用于数据的最后一件事。或者你破坏了一切(就像你现在所做的那样)
一个小问题。使用 mysql_real_escape_string 而不是 mysql_escape_string 稍微好一些。对于一些奇怪的编码,它会覆盖你的背部。
最可怕的事情。你没有清理数字。因此,您的代码容易受到 sql 注入攻击。你必须要么
对于别名变量以及您站点中的所有其他动态查询也是如此。你应该尽快修复它。
just a note on your database insert.
you shouldn't use urldecode for the database insert. urlancodes has nothing to do with databases. for the insert only database-related functions should be used.
Do it somewhere else, not a the time when data being inserted to database. mysql_real_escape_string should be the very last thing applied to the data before insert. Or you broke everything (as you do at the moment)
a minor issue. it's slightly better to use mysql_real_escape_string instead of mysql_escape_string. For some odd encodings it will cover your backs.
Most terrible thing. You're not sanitizing numbers. So, your code is open to sql injection attack. You have to either
Same for alias variable and, I suppose, all other dynamic queries in your site. You ought to fix it as soon as possible.
答案似乎就在 TinyMCE 中,我正在 mysql_real_escape_string 处理该字符串,但 TinyMCE 默认情况下已经为您执行了此操作,因此当 php 取消转义这些字符时,它只是转义它的一个实例,而不是它的所有实例。
It seemed the answer lay in TinyMCE, I was
mysql_real_escape_stringing the string but TinyMCE does that already for you by default, so when php was unescaping these characters, it was only escaping one instance of it, instead of all instances of it.