Can AJAX pass the string "select from"?
Posted: Mon Oct 05, 2009 10:40 pm
It's got to be the dumbest question I've asked, but it's driving me nuts.
After much debugging I found the reason my form data was not being submitted was because a textarea field has the words (string) "select from" as in, "select from the colour list", located in it.
I created a small test script in the hope that someone can look at it and see where I've gone wrong and help me out.
The script is not big and it's not smart but it defines the problem.
If I remove the Content-Type: application/x-www-form-urlencoded header the script works and it passes the string "select from", but I'm not sure that's the answer.
It seems that any other combination of the english language is fine and can be passed without problems.
File: sendAjaxClient.php
File: sendAjaxServer.php
When testing, an alert is displayed showing the current ready state. If a second alert doesn't display with a return value from the server ... something is wrong.
When I ruled out Jquery and a ton of other stuff I thought I'd implemented some sort of SQL injection parser as you could have "select ted from the rest of the text" and it still failed. If you just have "from" or "select" it passes OK.
Thank you for any help.
After much debugging I found the reason my form data was not being submitted was because a textarea field has the words (string) "select from" as in, "select from the colour list", located in it.
I created a small test script in the hope that someone can look at it and see where I've gone wrong and help me out.
The script is not big and it's not smart but it defines the problem.
If I remove the Content-Type: application/x-www-form-urlencoded header the script works and it passes the string "select from", but I'm not sure that's the answer.
It seems that any other combination of the english language is fine and can be passed without problems.
File: sendAjaxClient.php
Code: Select all
<?php
// Get the current directory.
$uri=pathinfo($_SERVER["REQUEST_URI"],PATHINFO_DIRNAME);
?>
<html>
<head>
<title>AJAX test</title>
<script type="text/javascript" >
function updateConnection(){
// If you try to pass 'select from' as a POST variable is fails.
// Anything else seems to pass.
// Tested in FF 3.5.3, IE 8 and Opera 10.0
[color=#FF4040]var p = 'var1='+encodeURIComponent('select from');[/color]
xhr=new XMLHttpRequest();
if(xhr.readyState==4||xhr.readyState==0){
try{
xhr.onreadystatechange =function(){
return function(){
if(xhr.readyState==4&&xhr.status==200){
try{updateCompleted(xhr.responseXML);}
catch(e){alert('XHR Error: '+e.message);return false;}
}
}
}();
xhr.open("POST","<?php echo $uri?>/sendAjaxServer.php",true);
xhr.setRequestHeader("X-Requested-With","XMLHttpRequest");
xhr.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
xhr.send(p);
}catch(e){alert('XHR Error: '+e.message);return false;}
}
alert("AJAX readyState: "+xhr.readyState);
return false;
}
function updateCompleted(resp){
var xres = resp.documentElement;
var msg=xres.getAttribute("msg");
alert("Operation successful.\r\n\r\n"+msg+"\r\n\r\n");
}
</script>
</head>
<body>
<form name="f1" method="post" action="/ajaxTest" onsubmit="return updateConnection();" >
<fieldset>
<input type="submit" name="submit" value="Submit" >
</fieldset>
</form>
</body>
</html>
Code: Select all
<?php
$msg="AJAX returned: ";
$posted=array();
while(list($label,$val) = each($_POST)) {
$posted[$label]=$val;
}
if(isset($posted["var1"])){
$varData=$posted["var1"];
if(get_magic_quotes_gpc())
$varData = stripslashes($varData);
$msg.=$varData;
}
else $msg.="no data as POST var1 not found";
$xmlResponse='<xreturn msg="'.$msg.'"/>';
header('Expires: Tue, 28 Jun 2005 00:30:00 GMT');
header('Last-Modified: '.gmdate('D, d m y H:i:s') . ' GMT');
header('Cache-Control: no-cache, no-store, must-revalidate, max-age=0');
header('Content-Type: text/xml');
$doc = new DOMDocument('1.0');
$doc->loadXML($xmlResponse);
echo $doc->saveXML();
?>
When I ruled out Jquery and a ton of other stuff I thought I'd implemented some sort of SQL injection parser as you could have "select ted from the rest of the text" and it still failed. If you just have "from" or "select" it passes OK.
Thank you for any help.