php - escape urldecode unescape confusion -
i've got tinymce editor - contents of need uploaded ajax.
obviously because of ajax sending parameters, need escaped via javascripts escape() function, doesn't break ajax parameters. fields mysql_real_escape_string'ed @ php side, need escape ajax parameters.
unfortunately, when add links , images editor , submit, urls images , links appear this:
http://localhost:8888/%22../img/miscimages/hwo-american.gif/%22 on page contents displayed user (the product view page), string database run through urldecode() rid of %22 , other escaped characters. there no javascript on page, it's generated php, hence urldecode() , not unescape(). there way around this?
code:
ajax send
function update(){ if (window.xmlhttprequest) {// code ie7+, firefox, chrome, opera, safari xmlhttp=new xmlhttprequest(); }else{// code ie6, ie5 xmlhttp=new activexobject("microsoft.xmlhttp"); } xmlhttp.onreadystatechange=function() { if (xmlhttp.readystate==4 && xmlhttp.status==200) { var response = xmlhttp.responsetext; alert(response); window.location = 'admin-products.php'; } } var prodid=document.getelementbyid("editchoice").value; var edittitle=escape(document.getelementbyid("editname").value); var editcategory=document.getelementbyid("editcat").value; var editcontent = escape(tinymce.get('editcontent').getcontent()); var parameters= "prodid="+prodid+"&title="+edittitle+"&content="+editcontent+"&cat="+editcategory; xmlhttp.open("post", "../scr/editproduct.php", true); xmlhttp.setrequestheader("content-type", "application/x-www-form-urlencoded"); xmlhttp.send(parameters); } php database insert
$prodid = $_post['prodid']; $title = urldecode(mysql_escape_string($_post['title'])); $content = urldecode(mysql_escape_string($_post['content'])); $category = $_post['cat']; echo $prodid . $title . $content . $category; mysql_query("update product set title='$title', content='$content', category_id='$category' id='$prodid'") or die("error: ".mysql_error()); php display on page
/* product alias */ $alias = $_get['name']; $product_selectprod = mysql_query("select * product alias='$alias'") or die("error: ". mysql_error()); /* sort query vars */ while($product_arrayprod = mysql_fetch_array($product_selectprod)){ $product_category = $product_arrayprod['category_id']; $product_title = urldecode($product_arrayprod['title']); $product_text = urldecode($product_arrayprod['content']); $product_image = $product_arrayprod['main_image']; $product_sub_image = $product_arrayprod['sub_image']; /* build product list */ $productdetail .= "<img src='$product_image' width='350' height='240' class='prod_image_left' /><img src='$category_image' width='350' height='240' class='prod_image_right' />"; $productdetail .= "<p> </p><h1>fiddes $product_title</h1><hr />"; $productdetail .= "$product_text"; }
from mdc: https://developer.mozilla.org/en/core_javascript_1.5_guide/functions#escape_and_unescape_functions
the escape , unescape functions not work non-ascii characters , have been deprecated. in javascript 1.5 , later, use encodeuri, decodeuri, encodeuricomponent, , decodeuricomponent.
so don't use escape, it's deprecated :)
Comments
Post a Comment