Jump to content

Archived

This topic is now archived and is closed to further replies.

crashmaster

escape -> unescape ; encodeURI -> decodeURI ; in PHP

Recommended Posts

hi there

I have one problem, which I dont know how to solve.

 

I have AJAX form (comments.html), where I am sending daata to server script (post_it.php) thru POST method.

 

In comments.html I tried to secure script and all data I encoded and escaped (escape and encodeURI). Bt when this data are sending to post_it.php I dont know how to decode and unescape them.

 

Can somebody help me ?

 

 

its standart AJAX request

<script type="text/javascript" language="javascript" src="../inc/POSTajax.js"></script>

<script type="text/javascript" language="javascript">


   function clear (str) {
   return encodeURI(escape(str) );
   }
   
   
   function doit(obj) {
   
   var valid = true;
   
   if (document.getElementById("author").value == '') {
   valid = false;
   alert('Chyba! Vyplnte jmeno !');
   }
   
   if (document.getElementById("comment").value == '') {
   valid = false;
   alert('Chyba! Vyplnte komentar !');
   }
   
   
   if (valid == true) {
   
   
   
      var poststr = "author=" + clear( document.getElementById("author").value ) +
                    "&comment=" + clear( document.getElementById("comment").value ) +
				"&nid=<? echo $nid ;?>" + 
				"&registered=<? if ($_SESSION['auth'] == 'logged') {echo '1';} else { echo  '0'; } ?>"+
				"&_username=<? echo $_SESSION['username'];?>" +
				"&_userlevel=<? echo $_SESSION['userlevel'];?>" +
				"&_auth=<? echo $_SESSION['auth'];?>"
				;
      POSTRequest('pages/post_comment.php', poststr, 'comment_contnent');
   }
   
   
   }
</script>

 

and this one is post_it.php

sleep (2);


include ('../inc/mysql.php');


//FUNTIONS
function qq($str)
{
    return (get_magic_quotes_gpc() ? $str : addslashes($str));
}




// I HAVE TO DECODE THIS ONE
$var['author'] = qq($_POST['author']);
// ^^^^^^^^^^^^^^^^^^^^^

$var['registered'] = $_POST['registered'];
$var['date'] = date('Y-m-d');
$var['time'] = date ('H:i:s');
$var['ip'] = $_SERVER['REMOTE_ADDR'];

//AND THIS ONE
$var['comment'] = strip_tags(mysql_real_escape_string(qq($_POST['comment'])));
//^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^



$query = mysql_query ("INSERT INTO comments (nid,date,time,ip,author,comment,registred) 
VALUES ('".$_POST['nid']."','".$var['date']."','".$var['time']."','".$var['ip']."','".$var['author']."','".$var['comment']."', '".$var['registered']."')");

if ($query) {

show_comments ($_POST['nid']);

}

 

Share this post


Link to post
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.