问题
(JavaScript for the XML HTTP request and PHP for the execution SQL query.)
I'm building a web app that executes queries. It uses the XMLHTTP request GET method and passes a query to a PHP script that executes it. It works fine until I introduce parentheses ( ) in it.
Here is an example of how works:
function executeQry(){
qry = document.getElementByID('textarea').value;
qryHTTPRequest(encodeURI(qry));
//I've also tried encodeURIComponent(qry);
}
function xmlHTTPRequest(qry){
//fetches
urlFetch = "http://my.url.com/script.php?qry=" + qry;
}
this is a quick reference, I know that my xmlhttp request works fine because it does what it needs to do when other queries are passed through for example:
SELECT * FROM `tableName`
works fine, but when you try to do something like
CREATE TABLE `new_table`
AS (SELECT * FROM `old_table`)
Then this is when it won't execute, I get the 403 error so I figured that it's an with the () because I even tried this same code on the PHP itself, without having to pass it through and it worked, so there must be an issue with the URL encoding process right? If this is the issue, is there a method for encoding these characters? I assume there are other characters that don't get encoded with encodeURI() method as well as the encodeURIComponent(). Thanks in advance!
回答1:
The below should do it:
urlFetch = "http://my.url.com/script.php?qry=" + encodeURIComponent(qry)
.replace(/\(/g, "%28").replace(/\)/g, "%29");
Parentheses are oddballs in the URI grammar. Many encoders treat them as special even though they only appear in the obsolete "mark" production. With common web protocols (http, https, mailto) it is safe to encode them to %28 and %29 though web servers are allowed to assign special meanings to them. You are already using encodeURI or encodeURIComponent so you are already assuming that URL escape sequences are UTF-8.
From RFC 3986:
sub-delims "!" / "$" / "&" / "'" / "(" / ")" / "*" / "+" / "," / ";" / "="...
obsolete rule translation mark "-" / "_" / "." / "!" / "~" / "*" / "'" / "(" / ")"
回答2:
As the commenters you have a number of issues. Brackets () and [] are valid in URIs but have specific purposes hence they are not encoded by standard encode functions.
Secondly, it is a really bad idea to send SQL over the wire, especially in a get request. See RFC 2616. Methods like get and head are considered 'safe', they should only implement retrieval, they are not meant to change state. I would really reconsider what you are doing and see if you could achieve it in a cleaner way, possibly seeking opinions on your conceptual architecture at Programmers.stackexchange.
来源:https://stackoverflow.com/questions/8143085/passing-and-through-a-uri-causes-a-403-error-how-can-i-encode-them