PHP urldecode issue
I'm posting the below javascript endcodeURI value via jquery to a PHP script, there I use urldecode and store the value in the db, but the '>' symbol is n开发者_Python百科ot stored.
testid=174742228&VI-42=zdddfsdsdf%3Edsdfsdfs%3Efsdfsdfs&
+------+-----------+-----+-----+------------------------------+------+
| id | testid | sec | qid | ans | img |
+------+-----------+-----+-----+------------------------------+------+
| 6510 | 174742228 | VI | 42 | zdddfsdsdf dsdfsdfs fsdfsdfs | NULL |
+------+-----------+-----+-----+------------------------------+------+
foreach ($_POST as $k => $v) {
$flds = explode("-", $k);
if (count($flds) == 3) {
$datai = array($flds[0], $flds[1], $flds[2], $testid, urldecode(mysql_escape_string($v)));
$resi = $dbh->prepare("INSERT INTO result (sec, img, qid, testid, ans) VALUES (?, ?, ?, ?, ?)");
$resi->execute($datai);
} else {
$data = array($flds[0], $flds[1], $testid, urldecode(mysql_escape_string($v)));
$res = $dbh->prepare("INSERT INTO result (sec, qid, testid, ans) VALUES (?, ?, ?, ?)");
$res->execute($data);
}
}
Thanks in advance
I don't know if any of this will fix your problem, but there are a few problems in your code:
mysql_escape_string
is deprecated, you should use mysql_real_escape_string.- You should urldecode before escaping (e.g.:
mysql_real_escape_string(urldecode($str));
). - You don't even have to escape anything. You are using prepared statements (most probably PDO from the syntax). PDO will automatically escape values with placeholders for you.
- You may be double-decoding. If the query string you posted is sent directly to PHP as request body, it is automatically decoded. Therefore, you may be urldecoding an already decoded URL.
- The facts that you are referencing
$testid
directly (instead of$_POST['test_id']
) makes me think that you may be using register_globals. It may not be the case, but just to make sure.
Other than that, the code seems fine and shouldn't make the >
symbols disappear. Check your MySQL column type and/or try var_dumping $_POST and check what you've got there.
Try reversing the order of urldecode(mysql_escape_string($v))
. You are escaping the data before it's converted into what is actually going into the database.
精彩评论