开发者

Passing POST data from Javascript(jquery) to php problems?

I been trying to passing this value:

// Content to submit to php
Others string here. And this link:
http://www.youtube.com/watch?v=CUUgKj2i1Xc&feature=rec-LGOUT-exp_fresh+div-1r-2-HM

to a php page, and insert it to database. here is my current code:

... // javascript

var content = $("#mcontent").val();
$.ajax({
    url : '<?php echo PATH; ?>functions/save.php',
    type: 'POST',
    data: 'id=<?php echo $_GET['id']; ?>&content=' + content + '&action=save&val=<?php echo md5("secr3t" . $_SESSION['userid_id']); ?>',
    dataType: 'json',

    success: function(response) {
        if (response.status == 'success') {
            alert(response.message);
        } else {
      开发者_Python百科      alert(response.message);
        }
    }
});

No errors actually, but in database, what it saved is:

Others string here. And this link:
http://www.youtube.com/watch?v=CUUgKj2i1Xc

I guess i know whats the problem, the problem is the:

http://www.youtube.com/watch?v=CUUgKj2i1Xc&feature=rec-LGOUT-exp_fresh+div-1r-2-HM

I think it takes the "&feature=" as another POST data. What I have tried:

  • Adding slash before the ampersand (http://phpjs.org/functions/addslashes:303)

  • Using Javascript HTML encode/decode function (found somewhere on internet also)

But both does not work. Do you have any others way?

EDIT:

Do you foresee any others problem that might occurs? The content are type/write by user. Meaning that, the user can type/write anything. On backhand, I did others checking though, including the "mysql_real_escape_string"


A nice thing about jQuery is that the data parameter can take a JS object, so you don't need to try to build a query string manually.

<?php

    $data = array("id" => $_GET['id'], 
                  "action" => "save", 
                  "val" => md5("secr3t",$_SESSION['userid_id'])
                 );
    $json_data = encode_json($data);
    $json_data = str_ireplace($json_data, '</script>', '<\/script>');
    echo "var data = $json_data;";
?>
data.content = content;
$.ajax({
            url : '<?php echo PATH; ?>functions/save.php',
            type: 'POST',
            data: data,
            dataType: 'json',


Learn escaping. You're vulnerable to XSS. In this case, your data are part of an URL, so you have to urlencode() it.

var content = $("#mcontent").val();
$.ajax({
    url : '<?php echo PATH; ?>functions/save.php',
    type: 'POST',
    data: 'id=<?php echo urlencode($_GET['id']); ?>&content=' + urlencode(content) + '&action=save&val=<?php echo md5("secr3t" . $_SESSION['userid_id']); ?>',
    dataType: 'json',

    success: function(response) {
        if (response.status == 'success') {
            alert(response.message);
        } else {
            alert(response.message);
        }
    }
});

Note: I assume that PATH does not contain special characters like ' and \. Since $_SESSION['user_id'] is md5-ed, it does not need to be escaped because it's safe (md5 returns a string with fixed length 32, containing only 0-9 and a-f.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜