Results 1 to 5 of 5
  1. #1
    Join Date
    Jan 2004
    Posts
    17

    Question Unanswered: Problem with Querystring which contains %20

    Hi all,

    i am facing problem while parsing the data with %20 in its content.

    more broadly, am passing SELECT query in the query string.
    like
    test.php?query=SELECT * FROM TABLE WHERE FIELD LIKE '%20'

    in the test page when i access query...it turns into
    SELECT * FROM TABLE WHERE FIELD LIKE ' '... which should not be done.

    any solution????

    waiting for your kind reponse.

  2. #2
    Join Date
    Apr 2006
    Location
    Denver, Co. USA
    Posts
    242
    While it is possible to change the space back to a %20 (one of the PHP html...encode functions can do this) passing a query on the end of the URL is a security problem as it will allow someone to change anything they want in your database, including putting their own password in or dropping your tables... test.php?query=DROP TABLE tbl_name

  3. #3
    Join Date
    Mar 2007
    Location
    636f6d7075746572
    Posts
    770
    As a matter of security I heavily advise you NEVER EVER to pass a query string through a GET request. This is HIGHLY insecure and will allow anyone to construct a query of their own devising that will cause you no end of problems.

    In answer to your question however, what is happening is that the get string is being encoded (i.e. %20 is a space) and thus when interpreted is coming back with the query string you have above.

    What you need to do is urlencode your LIKE string, so in your PHP you need to generate the urlencoded version of the string you are sending over your url. The following will give you %20 url encoded, meaning when it gets to the other end it will come out as '%20' and NOT ''.
    Code:
    urlencode("%20");
    this will give you %2520 as your urlencoded string. So you query string will be
    Code:
    test.php?query=SELECT * FROM TABLE WHERE FIELD LIKE '%2520'

  4. #4
    Join Date
    Jan 2004
    Posts
    17
    Thanks for ur kind replies.....

    its fine to use urlencode before passing it to other end.
    but what if data is coming from text box.....

    i have developed 1 DB tool preity similar to phpmyadmin...but its 1 file only....

    and i am passing query in AJAX, where there is 1 textarea and user can type query and the query is sent back using AJAX and result is shown up...so how can i use urlencod before sending it back
    ???

  5. #5
    Join Date
    Mar 2007
    Location
    636f6d7075746572
    Posts
    770
    In JScript look for %20 in your query string and convert it to %2520... You might also want to consider looking at what other syntax might cause you a problem.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •