crashmaster Posted September 19, 2007 Share Posted September 19, 2007 hi there I have one problem, which I dont know how to solve. I have AJAX form (comments.html), where I am sending daata to server script (post_it.php) thru POST method. In comments.html I tried to secure script and all data I encoded and escaped (escape and encodeURI). Bt when this data are sending to post_it.php I dont know how to decode and unescape them. Can somebody help me ? its standart AJAX request <script type="text/javascript" language="javascript" src="../inc/POSTajax.js"></script> <script type="text/javascript" language="javascript"> function clear (str) { return encodeURI(escape(str) ); } function doit(obj) { var valid = true; if (document.getElementById("author").value == '') { valid = false; alert('Chyba! Vyplnte jmeno !'); } if (document.getElementById("comment").value == '') { valid = false; alert('Chyba! Vyplnte komentar !'); } if (valid == true) { var poststr = "author=" + clear( document.getElementById("author").value ) + "&comment=" + clear( document.getElementById("comment").value ) + "&nid=<? echo $nid ;?>" + "®istered=<? if ($_SESSION['auth'] == 'logged') {echo '1';} else { echo '0'; } ?>"+ "&_username=<? echo $_SESSION['username'];?>" + "&_userlevel=<? echo $_SESSION['userlevel'];?>" + "&_auth=<? echo $_SESSION['auth'];?>" ; POSTRequest('pages/post_comment.php', poststr, 'comment_contnent'); } } </script> and this one is post_it.php sleep (2); include ('../inc/mysql.php'); //FUNTIONS function qq($str) { return (get_magic_quotes_gpc() ? $str : addslashes($str)); } // I HAVE TO DECODE THIS ONE $var['author'] = qq($_POST['author']); // ^^^^^^^^^^^^^^^^^^^^^ $var['registered'] = $_POST['registered']; $var['date'] = date('Y-m-d'); $var['time'] = date ('H:i:s'); $var['ip'] = $_SERVER['REMOTE_ADDR']; //AND THIS ONE $var['comment'] = strip_tags(mysql_real_escape_string(qq($_POST['comment']))); //^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ $query = mysql_query ("INSERT INTO comments (nid,date,time,ip,author,comment,registred) VALUES ('".$_POST['nid']."','".$var['date']."','".$var['time']."','".$var['ip']."','".$var['author']."','".$var['comment']."', '".$var['registered']."')"); if ($query) { show_comments ($_POST['nid']); } Quote Link to comment Share on other sites More sharing options...
kael.shipman Posted September 20, 2007 Share Posted September 20, 2007 I think you're probably going a little overboard using both encodeURI() and escape(). Check this out: http://xkr.us/articles/javascript/encode-compare/. I usually use ONLY encodeURIComponent. The server should then automatically decode any encoded parts. The problem with putting escape() inside of encodeURI() is that encodeURI() encodes all of the % signs that were the result of the encoding done by escape(), so you'd have to decode it twice on the server, and things might get pretty garbled. Good luck! Quote Link to comment Share on other sites More sharing options...
Stickybomb Posted September 25, 2007 Share Posted September 25, 2007 firstly you are using an ajax request. you y r u encode anything in js you are communicateing soely on your server, just clean and check the posted information in the php file. As far as I know the user has no access to a request from your server to your server? And as long as you are using post the user has not access to it if it was not sent by your server post is a secure method, get on the other hand can be vulnerable since it appends data to the url. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.