Hi,
I am having problems with running urlencode(selec t * from myfile where
field like '%0002%'), in particular the like section, what I get is...
like+%27%250002 %25%27
....which is fine, but when i decode it I get...
like \'02\'
....I get backslashes before the single quotes and 2 of the leading
zeroes in 0002 are missing.
Does any have any clues?
Regards
Doug Johnston
3  2179 
Doug Johnston wrote: Hi,
I am having problems with running urlencode(selec t * from myfile where
field like '%0002%'), in particular the like section, what I get is...
like+%27%250002 %25%27
...which is fine, but when i decode it I get...
like \'02\'
...I get backslashes before the single quotes and 2 of the leading
zeroes in 0002 are missing.
Does any have any clues?
Regards
Doug Johnston
Hi,
Not on my machine...
I made this little script to test.
<?
$astr = "select * from myfile where field like '%0002%'";
$enc = urlencode($astr );
$dec = urldecode($enc) ;
echo "astr = ".htmlentities( $astr)."<br>";
echo "enc = ".htmlentities( $enc)."<br>";
echo "dec = ".htmlentities( $dec)."<br>";
?>
which produces:
astr = select * from myfile where field like '%0002%'
enc = select+%2A+from +myfile+where+f ield+like+%27%2 50002%25%27
dec = select * from myfile where field like '%0002%'
Does it produce the same on your machine?
You must be adding slashes somewhere to make it 'safe'.
Maybe your php.ini settings are doing things you are not aware of?
by the way: Everybody can make their onw queries, and updates, if you pass
around SQL-commands like this...
Please reconsider your design...
Regards,
Erwin Moller
Hi Erwin,
Thanks for your reply. I have found strip slashes to work well for me,
but having to fudge the disappearing zeroes.
With regard to security apart from MySQL login and some unique client
data, the whole lot will be in a protected directory. Is this enough? I
guess if anyone wants to try hard enough they will get through anything.
Maybe there is something else I could do?
Regards
Doug Johnston
Erwin Moller wrote: Doug Johnston wrote:
Hi,
I am having problems with running urlencode(selec t * from myfile where
field like '%0002%'), in particular the like section, what I get is...
like+%27%2500 02%25%27
...which is fine, but when i decode it I get...
like \'02\'
...I get backslashes before the single quotes and 2 of the leading
zeroes in 0002 are missing.
Does any have any clues?
Regards
Doug Johnston
Hi,
Not on my machine...
I made this little script to test.
<?
$astr = "select * from myfile where field like '%0002%'";
$enc = urlencode($astr );
$dec = urldecode($enc) ;
echo "astr = ".htmlentities( $astr)."<br>";
echo "enc = ".htmlentities( $enc)."<br>";
echo "dec = ".htmlentities( $dec)."<br>";
?>
which produces:
astr = select * from myfile where field like '%0002%'
enc = select+%2A+from +myfile+where+f ield+like+%27%2 50002%25%27
dec = select * from myfile where field like '%0002%'
Does it produce the same on your machine?
You must be adding slashes somewhere to make it 'safe'.
Maybe your php.ini settings are doing things you are not aware of?
by the way: Everybody can make their onw queries, and updates, if you pass
around SQL-commands like this...
Please reconsider your design...
Regards,
Erwin Moller
Doug Johnston wrote: Hi Erwin,
Hi,
Thanks for your reply. I have found strip slashes to work well for me,
but having to fudge the disappearing zeroes.
Well, look deeper. :-)
The fact you cannot pass name/value pairs around the way you expect is a
sign something is wrong somewhere.
I think you might hit other issues later.
Can you pass around a random string with URL-encode via query-string?
Just make a samplescript, and see if it works.
If not, go check the documentation at php.net and check your php.ini
settings, etc. (use htmlentities to be sure you print a string as it is in
a webpage.)
In cases like this, always spend some extra time figuring it out.
Sometimes 'minor problems' return later on with an extra bite. :-(
Just mu advise of course. :-)
With regard to security apart from MySQL login and some unique client
data, the whole lot will be in a protected directory. Is this enough?
Hard to say. What is a protected directory? Like a .htaccess file?
I
guess if anyone wants to try hard enough they will get through anything.
Yes and No.
Do not take this the wrong, but that is no valid argument.
If you open a can with topquality crackers, I expect that they can break a
lot of systems.
But that is no excuse for being sloppy and making things easy for the less
talented.
The easier the crack/hack the more people will see it.
I mean: Every webprogrammer immediately recognizes that URL as a
securityhole. (That goes for method POST in a form too by the way.)
I think it is a bad habit to pass queries around like that.
The question is of course is if the receiving script will execute the query.
If it does not (and only stores it somewhere in a logfile eg), the situation
is less serious of course. :-)
Sorry, if I sound patrionizing. (slap me. :P)
Maybe there is something else I could do?
I always add things like this:
The script that receives the SQL-query should start with checking the
session to be sure the one logged in has accesss to that script.
eg: $_SESSION["admin"] should contain "Y"
if not: terminate the script and scoff the user.
Good luck
Reagrds,
Erwin Moller
Regards
Doug Johnston This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: jason |
last post by:
I'm having trouble incantenating this string what is the best way to do this
if the string is extremely long especially for response.redirect...
I tried switching between asp and html to make it easier but I pick up
syntax errors when I do this...
<%Response.redirect
"http://opt-in.verticalresponse.com/?"%>fid=20351f4764&email_address=&first_
|
by: George Hester |
last post by:
http://support.microsoft.com/default.aspx?scid=kb;en-us;301464
Look down at the MyPage.asp example. You will see that Microsoft does this:
'Costruct the URL for the current page
s = "http://"
s = s & Request.ServerVariables("HTTP_HOST")
s = s & Request.ServerVariables("URL")
If Request.QueryString.Count > 0 Then
s = s & "?" & Request.QueryString
|
by: Joseph Chase |
last post by:
I have the following form :
<form action="/auction/create/" method="post"><p><label
for="auction_created">Created</label><br /></p>
<p><label for="auction_user">User</label><br /><input id="auction_user"
name="auction" size="30" type="text" value="" /></p>
<p><label for="auction_auction_title">Auction title</label><br /><input
id="auction_auction_title" name="auction" size="30"
type="text" value="" /></p>
|
by: Peter Afonin |
last post by:
Hello,
I've created the domain registration system in ASP.NET. I'm using
HttpWebRequest to post the data to the registrar's server. So in the Post
string I'm passing the data like name, address, phone number etc.
The only two fields that are causing problems are the phone and fax fields.
My only guess here is that's because they start with the "+" sign. So the
string looks like this:
|
by: Henke |
last post by:
I have a web application that is used to transfer files to and from a
database. The files are streamed and stored in the database that is.
From one page I can download the files to the client, by clicking on the
filename.
The confirm download popup (the one built-in in IE) is displayed and I can
select either Save or Open.
One the file name row the name of the file is displayed but all " " (spaces)
are replaced with a "+"-sign. Does...
| | |
by: meltedown |
last post by:
urlencode turns # into %23
When I sent it thru $_GET, it dissapears, along with anything that comes
after it.
for example:
urlencode turns
HOYDM_EXC_#4_NAT
into HOYDM_EXC_%234_NAT
When I use it in an url
|
by: burnsy2000 |
last post by:
We are running ASP classic on IIS 5 on W2k SP4. We recently added <%
Response.charset="utf-8"%to the top of all our pages (as suggested by
validator.w3.org). A problem arose on a page which applies
Server.HTMLEncode to a field that was inputted from the user. The
problem is that when the user enters a phrase such as:
My Fiancé
The Server.URLEncode returns the value:
|
by: mister-Ed |
last post by:
I am displaying subcategories in my datalist, and now I have a
bizarre thing happen when I add a new subcategory record in my sql
database, the new subcategory link does not click into the next page:
Here is the code surrounding my dynamic 'subcategory':
<a href="prov-results1.aspx?county=<
%#Server.UrlEncode(Request.QueryString("county")) & "&subcat=" &
Server.UrlEncode((Eval("SubCategory").ToString())) & "&category=" &...
|
by: Solius |
last post by:
I have been struggling for 4 days to write a connection to an XML REST API. I can't figure out what is wrong with my code that it won't connect propertly. The goal is to make a web service that connects directly to the REST API. When I code it as a front end doing a form post it works fine, but I can't code the VB on the backend to do the same thing.
Any help would be much appreciated. Also, how do you convert the contents of a filestream...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
