传递“(”和“)”通过 URI 会导致 403 错误,我该如何对其进行编码?
(JavaScript 用于 XML HTTP 请求,PHP 用于执行 SQL 查询。)
我正在构建一个执行查询的 Web 应用程序。它使用 XMLHTTP 请求 GET 方法并将查询传递给执行它的 PHP 脚本。它工作正常,直到我在其中引入括号 ( ) 。
下面是一个工作原理的示例:
function executeQry(){
qry = document.getElementByID('textarea').value;
qryHTTPRequest(encodeURI(qry));
//I've also tried encodeURIComponent(qry);
}
function xmlHTTPRequest(qry){
//fetches
urlFetch = "http://my.url.com/script.php?qry=" + qry;
}
这是一个快速参考,我知道我的 xmlhttp 请求工作正常,因为它在传递其他查询时执行需要执行的操作,例如:
SELECT * FROM `tableName`
工作正常,但是当您尝试执行类似操作时
CREATE TABLE `new_table`
AS (SELECT * FROM `old_table`)
然后这是它不会执行的时候,我收到 403 错误,所以我认为它是 () 的错误,因为我什至在 PHP 本身上尝试了相同的代码,而不必传递它并且它有效,所以肯定有一个问题URL编码过程对吗?如果这是问题,有没有一种方法可以对这些字符进行编码?我假设还有其他字符未使用 encodeURI() 方法以及 encodeURIComponent() 进行编码。提前致谢!
(JavaScript for the XML HTTP request and PHP for the execution SQL query.)
I'm building a web app that executes queries. It uses the XMLHTTP request GET method and passes a query to a PHP script that executes it. It works fine until I introduce parentheses ( ) in it.
Here is an example of how works:
function executeQry(){
qry = document.getElementByID('textarea').value;
qryHTTPRequest(encodeURI(qry));
//I've also tried encodeURIComponent(qry);
}
function xmlHTTPRequest(qry){
//fetches
urlFetch = "http://my.url.com/script.php?qry=" + qry;
}
this is a quick reference, I know that my xmlhttp request works fine because it does what it needs to do when other queries are passed through for example:
SELECT * FROM `tableName`
works fine, but when you try to do something like
CREATE TABLE `new_table`
AS (SELECT * FROM `old_table`)
Then this is when it won't execute, I get the 403 error so I figured that it's an with the () because I even tried this same code on the PHP itself, without having to pass it through and it worked, so there must be an issue with the URL encoding process right? If this is the issue, is there a method for encoding these characters? I assume there are other characters that don't get encoded with encodeURI() method as well as the encodeURIComponent(). Thanks in advance!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
下面的代码应该可以做到这一点:
括号在 URI 语法中是个奇怪的东西。许多编码器将它们视为特殊的,即使它们仅出现在过时的“标记”产品中。使用常见的 Web 协议(
http、https、mailto),可以安全地将它们编码为%28和 < code>%29 尽管网络服务器允许为它们分配特殊含义。您已经在使用encodeURI或encodeURIComponent,因此您已经假设 URL 转义序列是 UTF-8。来自 RFC 3986:
The below should do it:
Parentheses are oddballs in the URI grammar. Many encoders treat them as special even though they only appear in the obsolete "mark" production. With common web protocols (
http,https,mailto) it is safe to encode them to%28and%29though web servers are allowed to assign special meanings to them. You are already usingencodeURIorencodeURIComponentso you are already assuming that URL escape sequences are UTF-8.From RFC 3986:
作为评论者,您有很多问题。括号 () 和 [] 在 URI 中有效,但具有特定用途,因此它们不由标准编码函数进行编码。
其次,通过线路发送 SQL 是一个非常糟糕的主意,尤其是在 get 请求中。请参阅 RFC 2616。像 get 和 head 这样的方法被认为是“安全”的,它们应该只实现检索,而不是改变状态。我真的会重新考虑你正在做的事情,看看你是否能以更干净的方式实现它,可能会在 Programmers.stackexchange。
As the commenters you have a number of issues. Brackets () and [] are valid in URIs but have specific purposes hence they are not encoded by standard encode functions.
Secondly, it is a really bad idea to send SQL over the wire, especially in a get request. See RFC 2616. Methods like get and head are considered 'safe', they should only implement retrieval, they are not meant to change state. I would really reconsider what you are doing and see if you could achieve it in a cleaner way, possibly seeking opinions on your conceptual architecture at Programmers.stackexchange.