javascript code within the FIELD to be read by a sql query

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

straightman
Forum Commoner
Posts: 48
Joined: Sun Apr 19, 2009 5:20 am

Re: javascript code within the FIELD to be read by a sql query

Post by straightman »

now I can see what you mean, I have gone to the web to see the answer to your question. here it is

URL Encoding is the process of converting string into valid URL format. Valid URL format means that the URL contains only what is termed "alpha | digit | safe | extra | escape" characters. the url was destroying my code html as it held it for malicious, so to say

and now, what can I do? remove that url?

I shouldnt because if someone wants to mess with the http address query on the top..

Alvaro

=====================================================================================

jackpf wrote:Omg...why do you think!??!? Sorry....sorry...

Think about it. You're running html through urlencode(). You are url encoding it!!!
straightman
Forum Commoner
Posts: 48
Joined: Sun Apr 19, 2009 5:20 am

Re: javascript code within the FIELD to be read by a sql query

Post by straightman »

URL Encoding is the process of converting string into valid URL format. Valid URL format means that the URL contains only what is termed "alpha | digit | safe | extra | escape" characters

yes, but why dont the other caracters like Peter, 16, which are on the same row get affected by that urlencoding? is it because the html code is identified as potentially harmful or active that it is urlencoded?

what can I do then? I cannot remove that urlencoding for protection and however there should be a way for the javascript value to be effectively displayed.





jackpf wrote:Omg...why do you think!??!? Sorry....sorry...

Think about it. You're running html through urlencode(). You are url encoding it!!!
straightman
Forum Commoner
Posts: 48
Joined: Sun Apr 19, 2009 5:20 am

Re: javascript code within the FIELD to be read by a sql query

Post by straightman »

Hello

I left my question there. Now, I am at the work place and we need to shut the premises. I have to log off, but I am very interested in knowing what to do in this case.

thanks

Al

===================================

jackpf wrote:Omg...why do you think!??!? Sorry....sorry...

Think about it. You're running html through urlencode(). You are url encoding it!!!
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: javascript code within the FIELD to be read by a sql query

Post by jackpf »

Read what you posted - it converts non alpha characters to make it url safe. You can't pass ampersands or question marks in a url, as they are reserved symbols. This includes lt and gt symbols as well. Why are you urlencoding it anyway?
straightman
Forum Commoner
Posts: 48
Joined: Sun Apr 19, 2009 5:20 am

Re: javascript code within the FIELD to be read by a sql query

Post by straightman »

it is true, your question, since I am not sending variables separated by spaces to any url, or sending them to a receiving script, but
if if I remove the ulrencode it simply does not work. it does not display anything, I mean no fields at all, no recordset no pictures. I leave the rest intact, i just remove that word and then the script does not work.
jackpf wrote:Read what you posted - it converts non alpha characters to make it url safe. You can't pass ampersands or question marks in a url, as they are reserved symbols. This includes lt and gt symbols as well. Why are you urlencoding it anyway?
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: javascript code within the FIELD to be read by a sql query

Post by jackpf »

What's your code with it removed?

And do you have error reporting turned on?
straightman
Forum Commoner
Posts: 48
Joined: Sun Apr 19, 2009 5:20 am

Re: javascript code within the FIELD to be read by a sql query

Post by straightman »

Hello,

all I do is extract the word urlencode, the rest, intact. i m wondering whether the syntax is then not correct as per dots

What you see below is not a chunk of code, it is one full php script titled readbook.php

<?


include('include.php');
$result=mysql_query("SELECT * FROM zdb_bilder ORDER BY id DESC");
echo '<book>';

while($row = mysql_fetch_array($result)){
echo '<entry id="'.$row['id'].'"';
for($i=1; $i<mysql_num_fields($result);$i++){
$field= mysql_field_name($result,$i);
echo ' '.$field.'="'.($row[$field]).'"';
}
echo ' />';
}

echo '</book>';

mysql_close ();

?>


jackpf wrote:What's your code with it removed?

And do you have error reporting turned on?
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: javascript code within the FIELD to be read by a sql query

Post by jackpf »

There are no parse errors.

As I said, do you have error reporting turned on?

And what is displayed if you right click view source on the page?
straightman
Forum Commoner
Posts: 48
Joined: Sun Apr 19, 2009 5:20 am

Re: javascript code within the FIELD to be read by a sql query

Post by straightman »

the page is a Flash protected movie, i cannot look inside, nothing if you right click. As per the error reporting i m trying to locate the php.ini to see how the configuration is, but believe it or not it is taking me a while since i cant remember where i installed and the search brings nothing.

and running php info() does not help because this is what it brings, C:\Users\marina\AppData\Local\Temp\zend_debug\session50357.tmp\php.ini because AppData is not a visible folder

=========================

jackpf wrote:There are no parse errors.

As I said, do you have error reporting turned on?

And what is displayed if you right click view source on the page?
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: javascript code within the FIELD to be read by a sql query

Post by jackpf »

Well can you not run this script directly and view the source?

Also, you should be able to turn on error reporting with ini_set('display_errors', 1); and display_errors(E_ALL);
straightman
Forum Commoner
Posts: 48
Joined: Sun Apr 19, 2009 5:20 am

Re: javascript code within the FIELD to be read by a sql query

Post by straightman »

yes, I will add the display errors. As per per running the script directly, I think i dont quite understand. What I am doing is on the one side writing directly into the db, then run the application from my localhost and see the results as an end user. If I modify the readbook.php then I can see that the app does not work. If i bring it to zend or dreamweaver for execution, it would at best display the recordsets in an html page explorer page, but actually nothing different from what i am doing by running the Flash app.

I work from 18h to 22:30 and I ve got to get on my way, but it is intriguing why without urlencode it does not work at all, and there should be a way to read js content in the cells of the rows of DB..

Alvaro
==============================================================


jackpf wrote:Well can you not run this script directly and view the source?

Also, you should be able to turn on error reporting with ini_set('display_errors', 1); and display_errors(E_ALL);
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: javascript code within the FIELD to be read by a sql query

Post by jackpf »

I don't understand...you're running this from flash? If so, you need to just run it normally so you can view the source and see what's being output, since you can't do that in flash...

Removing urlencode will make no difference to the script's parsing, so it seems like you have another error which is why I am suggesting you turn on error reporing.
straightman
Forum Commoner
Posts: 48
Joined: Sun Apr 19, 2009 5:20 am

Re: javascript code within the FIELD to be read by a sql query

Post by straightman »

thank you, will do. But this is the more and more strange. The web has been working and works fine for more than 4 years. There has never been any issue with readbook.php . This thing of javascript is of my own curiosity for trying what would happen, but it is baffling. The datatype medium text should be the appropriate for a js code snippet and there is enough length allocated. hmm ...

===============================================================

jackpf wrote:I don't understand...you're running this from flash? If so, you need to just run it normally so you can view the source and see what's being output, since you can't do that in flash...

Removing urlencode will make no difference to the script's parsing, so it seems like you have another error which is why I am suggesting you turn on error reporing.
straightman
Forum Commoner
Posts: 48
Joined: Sun Apr 19, 2009 5:20 am

Re: javascript code within the FIELD to be read by a sql query

Post by straightman »

Hello,

well I have included all this in my script
ini_set('display_errors', 1);
ini_set('log_errors', 1);
ini_set('error_log', dirname(__FILE__) . '/error_log.txt');
error_reporting(E_ALL);

i havent seen anything reported but neither have i have found the error_log.txt anywhere, i guess the script has ignored that :(

browser output with urlencode on if there is html code in the values of the cells of the fields of the db:

nothing.

i included an echo line in the middle to see if it actually read the script and it displayed it.

if i remove the urlencode:

it displays everything except the weird characters < > etc

document.write("Hello World!"); " name="" etc
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: javascript code within the FIELD to be read by a sql query

Post by jackpf »

Are you using strip_tags() on it or soemthing?
Post Reply