Page 2 of 3
Re: javascript code within the FIELD to be read by a sql query
Posted: Sun Jul 26, 2009 4:04 pm
by straightman
now I can see what you mean, I have gone to the web to see the answer to your question. here it is
URL Encoding is the process of converting string into valid URL format. Valid URL format means that the URL contains only what is termed "alpha | digit | safe | extra | escape" characters. the url was destroying my code html as it held it for malicious, so to say
and now, what can I do? remove that url?
I shouldnt because if someone wants to mess with the http address query on the top..
Alvaro
=====================================================================================
jackpf wrote:Omg...why do you think!??!? Sorry....sorry...
Think about it. You're running html through urlencode(). You are url encoding it!!!
Re: javascript code within the FIELD to be read by a sql query
Posted: Sun Jul 26, 2009 4:13 pm
by straightman
URL Encoding is the process of converting string into valid URL format. Valid URL format means that the URL contains only what is termed "alpha | digit | safe | extra | escape" characters
yes, but why dont the other caracters like Peter, 16, which are on the same row get affected by that urlencoding? is it because the html code is identified as potentially harmful or active that it is urlencoded?
what can I do then? I cannot remove that urlencoding for protection and however there should be a way for the javascript value to be effectively displayed.
jackpf wrote:Omg...why do you think!??!? Sorry....sorry...
Think about it. You're running html through urlencode(). You are url encoding it!!!
Re: javascript code within the FIELD to be read by a sql query
Posted: Sun Jul 26, 2009 4:16 pm
by straightman
Hello
I left my question there. Now, I am at the work place and we need to shut the premises. I have to log off, but I am very interested in knowing what to do in this case.
thanks
Al
===================================
jackpf wrote:Omg...why do you think!??!? Sorry....sorry...
Think about it. You're running html through urlencode(). You are url encoding it!!!
Re: javascript code within the FIELD to be read by a sql query
Posted: Sun Jul 26, 2009 4:25 pm
by jackpf
Read what you posted - it converts non alpha characters to make it url safe. You can't pass ampersands or question marks in a url, as they are reserved symbols. This includes lt and gt symbols as well. Why are you urlencoding it anyway?
Re: javascript code within the FIELD to be read by a sql query
Posted: Mon Jul 27, 2009 8:52 am
by straightman
it is true, your question, since I am not sending variables separated by spaces to any url, or sending them to a receiving script, but
if if I remove the ulrencode it simply does not work. it does not display anything, I mean no fields at all, no recordset no pictures. I leave the rest intact, i just remove that word and then the script does not work.
jackpf wrote:Read what you posted - it converts non alpha characters to make it url safe. You can't pass ampersands or question marks in a url, as they are reserved symbols. This includes lt and gt symbols as well. Why are you urlencoding it anyway?
Re: javascript code within the FIELD to be read by a sql query
Posted: Mon Jul 27, 2009 9:01 am
by jackpf
What's your code with it removed?
And do you have error reporting turned on?
Re: javascript code within the FIELD to be read by a sql query
Posted: Mon Jul 27, 2009 9:16 am
by straightman
Hello,
all I do is extract the word urlencode, the rest, intact. i m wondering whether the syntax is then not correct as per dots
What you see below is not a chunk of code, it is one full php script titled readbook.php
<?
include('include.php');
$result=mysql_query("SELECT * FROM zdb_bilder ORDER BY id DESC");
echo '<book>';
while($row = mysql_fetch_array($result)){
echo '<entry id="'.$row['id'].'"';
for($i=1; $i<mysql_num_fields($result);$i++){
$field= mysql_field_name($result,$i);
echo ' '.$field.'="'.($row[$field]).'"';
}
echo ' />';
}
echo '</book>';
mysql_close ();
?>
jackpf wrote:What's your code with it removed?
And do you have error reporting turned on?
Re: javascript code within the FIELD to be read by a sql query
Posted: Mon Jul 27, 2009 9:23 am
by jackpf
There are no parse errors.
As I said, do you have error reporting turned on?
And what is displayed if you right click view source on the page?
Re: javascript code within the FIELD to be read by a sql query
Posted: Mon Jul 27, 2009 9:42 am
by straightman
the page is a Flash protected movie, i cannot look inside, nothing if you right click. As per the error reporting i m trying to locate the php.ini to see how the configuration is, but believe it or not it is taking me a while since i cant remember where i installed and the search brings nothing.
and running php info() does not help because this is what it brings, C:\Users\marina\AppData\Local\Temp\zend_debug\session50357.tmp\php.ini because AppData is not a visible folder
=========================
jackpf wrote:There are no parse errors.
As I said, do you have error reporting turned on?
And what is displayed if you right click view source on the page?
Re: javascript code within the FIELD to be read by a sql query
Posted: Mon Jul 27, 2009 10:06 am
by jackpf
Well can you not run this script directly and view the source?
Also, you should be able to turn on error reporting with ini_set('display_errors', 1); and display_errors(E_ALL);
Re: javascript code within the FIELD to be read by a sql query
Posted: Mon Jul 27, 2009 10:23 am
by straightman
yes, I will add the display errors. As per per running the script directly, I think i dont quite understand. What I am doing is on the one side writing directly into the db, then run the application from my localhost and see the results as an end user. If I modify the readbook.php then I can see that the app does not work. If i bring it to zend or dreamweaver for execution, it would at best display the recordsets in an html page explorer page, but actually nothing different from what i am doing by running the Flash app.
I work from 18h to 22:30 and I ve got to get on my way, but it is intriguing why without urlencode it does not work at all, and there should be a way to read js content in the cells of the rows of DB..
Alvaro
==============================================================
jackpf wrote:Well can you not run this script directly and view the source?
Also, you should be able to turn on error reporting with ini_set('display_errors', 1); and display_errors(E_ALL);
Re: javascript code within the FIELD to be read by a sql query
Posted: Mon Jul 27, 2009 10:40 am
by jackpf
I don't understand...you're running this from flash? If so, you need to just run it normally so you can view the source and see what's being output, since you can't do that in flash...
Removing urlencode will make no difference to the script's parsing, so it seems like you have another error which is why I am suggesting you turn on error reporing.
Re: javascript code within the FIELD to be read by a sql query
Posted: Tue Jul 28, 2009 2:40 pm
by straightman
thank you, will do. But this is the more and more strange. The web has been working and works fine for more than 4 years. There has never been any issue with readbook.php . This thing of javascript is of my own curiosity for trying what would happen, but it is baffling. The datatype medium text should be the appropriate for a js code snippet and there is enough length allocated. hmm ...
===============================================================
jackpf wrote:I don't understand...you're running this from flash? If so, you need to just run it normally so you can view the source and see what's being output, since you can't do that in flash...
Removing urlencode will make no difference to the script's parsing, so it seems like you have another error which is why I am suggesting you turn on error reporing.
Re: javascript code within the FIELD to be read by a sql query
Posted: Wed Jul 29, 2009 6:01 am
by straightman
Hello,
well I have included all this in my script
ini_set('display_errors', 1);
ini_set('log_errors', 1);
ini_set('error_log', dirname(__FILE__) . '/error_log.txt');
error_reporting(E_ALL);
i havent seen anything reported but neither have i have found the error_log.txt anywhere, i guess the script has ignored that
browser output with urlencode on if there is html code in the values of the cells of the fields of the db:
nothing.
i included an echo line in the middle to see if it actually read the script and it displayed it.
if i remove the urlencode:
it displays everything except the weird characters < > etc
document.write("Hello World!"); " name="" etc
Re: javascript code within the FIELD to be read by a sql query
Posted: Wed Jul 29, 2009 7:18 am
by jackpf
Are you using strip_tags() on it or soemthing?