[Proto-Scripty] Re: Escaping Input
Hi, I'm surprised by the POST data you quoted, but it doesn't matter, I'm pretty sure I know what's wrong. I was hurrying too much when posting my reply. You don't have to URL- encode the JSON string if you're going to give Ajax.Request a parameters *object* rather than parameters *string*, because Prototype will do it for you -- which is half the point of using an object. So drop the encodeURIComponent bit: // Using an object: entry = Object.toJSON($('busCalForm').serialize(true)); new Ajax.Request( "modules/buscal/processes/saveBooking.php", { parameters: { year: year, recnum: busmstr_id, json: entry }, onSuccess: busCal.gotEntry.bind(this), onFailure: busCal.gotFailure.bind(this) }); // Using a string (not recommended, data gets transformed to an object // and then back again -- but it demonstrates using the // encodeURIComponent function entry = Object.toJSON($('busCalForm').serialize(true)); new Ajax.Request( "modules/buscal/processes/saveBooking.php", { parameters: "year=" + encodeURIComponent(year) + "&recnum=" + encodeURIComponent(busmstr_id) + "&json=" + encodeURIComponent(entry), onSuccess: busCal.gotEntry.bind(this), onFailure: busCal.gotFailure.bind(this) }); Note that I'm escaping all of the components, although if you *know* year and busmstr_id won't include any characters that are special in URLs, you can skip it. Again, though, best to use the object feature of Ajax.Request and let it handle URL-encoding. Sorry for the bum steer earlier, rushing too much. "Do less, better" should be my motto. ;-) -- T.J. Crowder tj / crowder software / com Independent Software Engineer, consulting services available On Jul 31, 5:49 pm, infringer wrote: > This method works well in FF 3.5, but FF 3.0.12 doesn't like it... I > really would like to keep the from coming in a separate variable, but > realize I may have to change that. > > 3.0.12's POST (truncated) just for info: > %7Bstartdate%3A%202009-04-23%2C%20 > > 3.5's POST (truncated): > %7B%22startdate%22%3A%20%222009-04-23%22%2C% > > As you can see 3.5 has extra characters... > > I'm sending this to PHP, and my processing script receives the JSON > variable as such > > $json_string = (isset($_POST['json']) ? rawurldecode($_POST['json']) : > ""); > $json = json_decode($json_string, true); > if (($json == '') || empty($json) || ($json == null)) { > $result['valid_result'] = 2; > $result['reason'] = rawurlencode("Unknown error, Administrator has > been notified. Please try again later"); > $result = json_encode($result); > header("Content-Type: application/json"); > print $result; > exit(0); > > } > > so when users are using 3.0.xx they always receive this error message, > because the PHP script doesn't see it as valid JSON. > > but 3.5 users (myself only) can perform the saves/deletes, etc > > This is for an internal application, we only allow FF to be used. > > Thanks for the help! > -David > > On Jul 30, 4:00 pm, "T.J. Crowder" wrote: > > > > > Sorry, I got my wires crossed half-way through the first one of > > those. You can't use String#toJSON, it's not a string! Doh. > > Correcting my first example: > > > entry = encodeURIComponent(Object.toJSON($('busCalForm').serialize > > (true))); > > new Ajax.Request( > > "modules/buscal/processes/saveBooking.php", { > > parameters: { > > year: year, > > recnum: busmstr_id, > > json: entry > > }, > > onSuccess: busCal.gotEntry.bind(this), > > onFailure: busCal.gotFailure.bind(this) > > > }); > > > Sorry 'bout that. > > > -- T.J. :-) > > > On Jul 30, 8:55 pm, "T.J. Crowder" wrote: > > > > Hi, > > > > You're sending an unencoded string (which happens to be in JSON > > > format) as part of your parameters string, which is meant to be URL- > > > encoded data. A # sign is the least of your problems. ;-) You'll > > > want to encode that with JavaScript's encodeURIComponent function[1]. > > > > Somewhat OT, but as of 1.6 (at least), the preferred way to provide > > > options to Ajax.Request is as an object. If you give it a string, > > > that string will be converted to an object, and then later converted > > > back into a string. Yes, really. :-) Also, String has a toJSON > > > function you can use instead of JSON.stringify (not that it matters). > > > > So: > > > > entry = encodeURIComponent($('busCalForm').serialize(true).toJSON()); > > > new Ajax.Request( > > > "modules/buscal/processes/saveBooking.php", { > > > parameters: { > > > year: year, > > > recnum: busmstr_id, > > > json: entry > > > }, > > > onSuccess: busCal.gotEntry.bind(this), > > > onFailure: busCal.gotFailure.bind(this) > > > > }); > > > > How can I effectively escape an entire form, without > > > > having to get the value and escape them individually? Is there a > > > > command I'm missing? > > > > That's not
[Proto-Scripty] Re: Escaping Input
Sorry - Just tucked into my first beer ... not remove slashes ... Santitize the $_POST My mistake. Alex Mcauley http://www.thevacancymarket.com - Original Message - From: "infringer" To: "Prototype & script.aculo.us" Sent: Friday, July 31, 2009 5:49 PM Subject: [Proto-Scripty] Re: Escaping Input This method works well in FF 3.5, but FF 3.0.12 doesn't like it... I really would like to keep the from coming in a separate variable, but realize I may have to change that. 3.0.12's POST (truncated) just for info: %7Bstartdate%3A%202009-04-23%2C%20 3.5's POST (truncated): %7B%22startdate%22%3A%20%222009-04-23%22%2C% As you can see 3.5 has extra characters... I'm sending this to PHP, and my processing script receives the JSON variable as such $json_string = (isset($_POST['json']) ? rawurldecode($_POST['json']) : ""); $json = json_decode($json_string, true); if (($json == '') || empty($json) || ($json == null)) { $result['valid_result'] = 2; $result['reason'] = rawurlencode("Unknown error, Administrator has been notified. Please try again later"); $result = json_encode($result); header("Content-Type: application/json"); print $result; exit(0); } so when users are using 3.0.xx they always receive this error message, because the PHP script doesn't see it as valid JSON. but 3.5 users (myself only) can perform the saves/deletes, etc This is for an internal application, we only allow FF to be used. Thanks for the help! -David On Jul 30, 4:00 pm, "T.J. Crowder" wrote: > Sorry, I got my wires crossed half-way through the first one of > those. You can't use String#toJSON, it's not a string! Doh. > Correcting my first example: > > entry = encodeURIComponent(Object.toJSON($('busCalForm').serialize > (true))); > new Ajax.Request( > "modules/buscal/processes/saveBooking.php", { > parameters: { > year: year, > recnum: busmstr_id, > json: entry > }, > onSuccess: busCal.gotEntry.bind(this), > onFailure: busCal.gotFailure.bind(this) > > }); > > Sorry 'bout that. > > -- T.J. :-) > > On Jul 30, 8:55 pm, "T.J. Crowder" wrote: > > > > > Hi, > > > You're sending an unencoded string (which happens to be in JSON > > format) as part of your parameters string, which is meant to be URL- > > encoded data. A # sign is the least of your problems. ;-) You'll > > want to encode that with JavaScript's encodeURIComponent function[1]. > > > Somewhat OT, but as of 1.6 (at least), the preferred way to provide > > options to Ajax.Request is as an object. If you give it a string, > > that string will be converted to an object, and then later converted > > back into a string. Yes, really. :-) Also, String has a toJSON > > function you can use instead of JSON.stringify (not that it matters). > > > So: > > > entry = encodeURIComponent($('busCalForm').serialize(true).toJSON()); > > new Ajax.Request( > > "modules/buscal/processes/saveBooking.php", { > > parameters: { > > year: year, > > recnum: busmstr_id, > > json: entry > > }, > > onSuccess: busCal.gotEntry.bind(this), > > onFailure: busCal.gotFailure.bind(this) > > > }); > > > How can I effectively escape an entire form, without > > > having to get the value and escape them individually? Is there a > > > command I'm missing? > > > That's not quite what your code is doing; you're sending the form > > fields as a JSON-encoded string in a parameter called "json". If you > > just want to send the form fields, and you don't need them to arrive > > at the other end as a JSON string, there's a *much* shorter way: > > Form#request[2]. Assuming that your form element has the > > saveBooking.php as its action attribute: > > > $('busCalForm').request({ > > parameters: { > > year: year, > > recnum: busmstr_id > > }, > > onSuccess: busCal.gotEntry.bind(this), > > onFailure: busCal.gotFailure.bind(this) > > > }); > > > The form fields will no longer be JSON-ified (but will be properly URL- > > encoded), they'll arrive as individual parameters on the request. If > > the form field doesn't have saveBooking.php as its action and you > > can't change that, the Ajax.Request can still be simplified: > > > params = $('busCalForm').serialize(true); > > params.year = year; > > params.recnum = busmstr_id; > > new Ajax.Request( > > "modules/buscal/processes/saveBooking.php", { > > parameter
[Proto-Scripty] Re: Escaping Input
You should always remove slashes from Json in php Example below.. I had a similar problem with a PHP app i developed and had to escape it properly Alex Mcauley http://www.thevacancymarket.com - Original Message - From: "infringer" To: "Prototype & script.aculo.us" Sent: Friday, July 31, 2009 5:49 PM Subject: [Proto-Scripty] Re: Escaping Input This method works well in FF 3.5, but FF 3.0.12 doesn't like it... I really would like to keep the from coming in a separate variable, but realize I may have to change that. 3.0.12's POST (truncated) just for info: %7Bstartdate%3A%202009-04-23%2C%20 3.5's POST (truncated): %7B%22startdate%22%3A%20%222009-04-23%22%2C% As you can see 3.5 has extra characters... I'm sending this to PHP, and my processing script receives the JSON variable as such $json_string = (isset($_POST['json']) ? rawurldecode($_POST['json']) : ""); $json = json_decode($json_string, true); if (($json == '') || empty($json) || ($json == null)) { $result['valid_result'] = 2; $result['reason'] = rawurlencode("Unknown error, Administrator has been notified. Please try again later"); $result = json_encode($result); header("Content-Type: application/json"); print $result; exit(0); } so when users are using 3.0.xx they always receive this error message, because the PHP script doesn't see it as valid JSON. but 3.5 users (myself only) can perform the saves/deletes, etc This is for an internal application, we only allow FF to be used. Thanks for the help! -David On Jul 30, 4:00 pm, "T.J. Crowder" wrote: > Sorry, I got my wires crossed half-way through the first one of > those. You can't use String#toJSON, it's not a string! Doh. > Correcting my first example: > > entry = encodeURIComponent(Object.toJSON($('busCalForm').serialize > (true))); > new Ajax.Request( > "modules/buscal/processes/saveBooking.php", { > parameters: { > year: year, > recnum: busmstr_id, > json: entry > }, > onSuccess: busCal.gotEntry.bind(this), > onFailure: busCal.gotFailure.bind(this) > > }); > > Sorry 'bout that. > > -- T.J. :-) > > On Jul 30, 8:55 pm, "T.J. Crowder" wrote: > > > > > Hi, > > > You're sending an unencoded string (which happens to be in JSON > > format) as part of your parameters string, which is meant to be URL- > > encoded data. A # sign is the least of your problems. ;-) You'll > > want to encode that with JavaScript's encodeURIComponent function[1]. > > > Somewhat OT, but as of 1.6 (at least), the preferred way to provide > > options to Ajax.Request is as an object. If you give it a string, > > that string will be converted to an object, and then later converted > > back into a string. Yes, really. :-) Also, String has a toJSON > > function you can use instead of JSON.stringify (not that it matters). > > > So: > > > entry = encodeURIComponent($('busCalForm').serialize(true).toJSON()); > > new Ajax.Request( > > "modules/buscal/processes/saveBooking.php", { > > parameters: { > > year: year, > > recnum: busmstr_id, > > json: entry > > }, > > onSuccess: busCal.gotEntry.bind(this), > > onFailure: busCal.gotFailure.bind(this) > > > }); > > > How can I effectively escape an entire form, without > > > having to get the value and escape them individually? Is there a > > > command I'm missing? > > > That's not quite what your code is doing; you're sending the form > > fields as a JSON-encoded string in a parameter called "json". If you > > just want to send the form fields, and you don't need them to arrive > > at the other end as a JSON string, there's a *much* shorter way: > > Form#request[2]. Assuming that your form element has the > > saveBooking.php as its action attribute: > > > $('busCalForm').request({ > > parameters: { > > year: year, > > recnum: busmstr_id > > }, > > onSuccess: busCal.gotEntry.bind(this), > > onFailure: busCal.gotFailure.bind(this) > > > }); > > > The form fields will no longer be JSON-ified (but will be properly URL- > > encoded), they'll arrive as individual parameters on the request. If > > the form field doesn't have saveBooking.php as its action and you > > can't change that, the Ajax.Request can still be simplified: > > > params = $('busCalForm').serialize(true); > > params.year = year; > > params.recnum = busmstr_id; > > new Ajax.Request( > > "modules/buscal/pro
[Proto-Scripty] Re: Escaping Input
This method works well in FF 3.5, but FF 3.0.12 doesn't like it... I really would like to keep the from coming in a separate variable, but realize I may have to change that. 3.0.12's POST (truncated) just for info: %7Bstartdate%3A%202009-04-23%2C%20 3.5's POST (truncated): %7B%22startdate%22%3A%20%222009-04-23%22%2C% As you can see 3.5 has extra characters... I'm sending this to PHP, and my processing script receives the JSON variable as such $json_string = (isset($_POST['json']) ? rawurldecode($_POST['json']) : ""); $json = json_decode($json_string, true); if (($json == '') || empty($json) || ($json == null)) { $result['valid_result'] = 2; $result['reason'] = rawurlencode("Unknown error, Administrator has been notified. Please try again later"); $result = json_encode($result); header("Content-Type: application/json"); print $result; exit(0); } so when users are using 3.0.xx they always receive this error message, because the PHP script doesn't see it as valid JSON. but 3.5 users (myself only) can perform the saves/deletes, etc This is for an internal application, we only allow FF to be used. Thanks for the help! -David On Jul 30, 4:00 pm, "T.J. Crowder" wrote: > Sorry, I got my wires crossed half-way through the first one of > those. You can't use String#toJSON, it's not a string! Doh. > Correcting my first example: > > entry = encodeURIComponent(Object.toJSON($('busCalForm').serialize > (true))); > new Ajax.Request( > "modules/buscal/processes/saveBooking.php", { > parameters: { > year: year, > recnum: busmstr_id, > json: entry > }, > onSuccess: busCal.gotEntry.bind(this), > onFailure: busCal.gotFailure.bind(this) > > }); > > Sorry 'bout that. > > -- T.J. :-) > > On Jul 30, 8:55 pm, "T.J. Crowder" wrote: > > > > > Hi, > > > You're sending an unencoded string (which happens to be in JSON > > format) as part of your parameters string, which is meant to be URL- > > encoded data. A # sign is the least of your problems. ;-) You'll > > want to encode that with JavaScript's encodeURIComponent function[1]. > > > Somewhat OT, but as of 1.6 (at least), the preferred way to provide > > options to Ajax.Request is as an object. If you give it a string, > > that string will be converted to an object, and then later converted > > back into a string. Yes, really. :-) Also, String has a toJSON > > function you can use instead of JSON.stringify (not that it matters). > > > So: > > > entry = encodeURIComponent($('busCalForm').serialize(true).toJSON()); > > new Ajax.Request( > > "modules/buscal/processes/saveBooking.php", { > > parameters: { > > year: year, > > recnum: busmstr_id, > > json: entry > > }, > > onSuccess: busCal.gotEntry.bind(this), > > onFailure: busCal.gotFailure.bind(this) > > > }); > > > How can I effectively escape an entire form, without > > > having to get the value and escape them individually? Is there a > > > command I'm missing? > > > That's not quite what your code is doing; you're sending the form > > fields as a JSON-encoded string in a parameter called "json". If you > > just want to send the form fields, and you don't need them to arrive > > at the other end as a JSON string, there's a *much* shorter way: > > Form#request[2]. Assuming that your form element has the > > saveBooking.php as its action attribute: > > > $('busCalForm').request({ > > parameters: { > > year: year, > > recnum: busmstr_id > > }, > > onSuccess: busCal.gotEntry.bind(this), > > onFailure: busCal.gotFailure.bind(this) > > > }); > > > The form fields will no longer be JSON-ified (but will be properly URL- > > encoded), they'll arrive as individual parameters on the request. If > > the form field doesn't have saveBooking.php as its action and you > > can't change that, the Ajax.Request can still be simplified: > > > params = $('busCalForm').serialize(true); > > params.year = year; > > params.recnum = busmstr_id; > > new Ajax.Request( > > "modules/buscal/processes/saveBooking.php", { > > parameters: params, > > onSuccess: busCal.gotEntry.bind(this), > > onFailure: busCal.gotFailure.bind(this) > > > }); > > > [1]https://developer.mozilla.org/en/Core_JavaScript_1.5_Reference/Global... > > [2]http://prototypejs.org/api/form/request > > > HTH, > > -- > > T.J. Crowder > > tj / crowder software / com > > Independent Software Engineer, consulting services available > > > On Jul 30, 8:27 pm, infringer wrote: > > > > I have a form, I've been doing this in javascript: > > > > entry = $('busCalForm').serialize(true); > > > entry = JSON.stringify(entry); > > > new Ajax.Request("modules/buscal/processes/saveBooking.php", { > > > parameters: "year=" + year + "&recnum=" + busmstr_id + "&json=" + > > > entry, > > > onSuccess: busCal.gotEntry.bind(this), > > > onFailure: busCal.gotFailure.bind(this) > > >
[Proto-Scripty] Re: Escaping Input
Sorry, I got my wires crossed half-way through the first one of those. You can't use String#toJSON, it's not a string! Doh. Correcting my first example: entry = encodeURIComponent(Object.toJSON($('busCalForm').serialize (true))); new Ajax.Request( "modules/buscal/processes/saveBooking.php", { parameters: { year: year, recnum: busmstr_id, json: entry }, onSuccess: busCal.gotEntry.bind(this), onFailure: busCal.gotFailure.bind(this) }); Sorry 'bout that. -- T.J. :-) On Jul 30, 8:55 pm, "T.J. Crowder" wrote: > Hi, > > You're sending an unencoded string (which happens to be in JSON > format) as part of your parameters string, which is meant to be URL- > encoded data. A # sign is the least of your problems. ;-) You'll > want to encode that with JavaScript's encodeURIComponent function[1]. > > Somewhat OT, but as of 1.6 (at least), the preferred way to provide > options to Ajax.Request is as an object. If you give it a string, > that string will be converted to an object, and then later converted > back into a string. Yes, really. :-) Also, String has a toJSON > function you can use instead of JSON.stringify (not that it matters). > > So: > > entry = encodeURIComponent($('busCalForm').serialize(true).toJSON()); > new Ajax.Request( > "modules/buscal/processes/saveBooking.php", { > parameters: { > year: year, > recnum: busmstr_id, > json: entry > }, > onSuccess: busCal.gotEntry.bind(this), > onFailure: busCal.gotFailure.bind(this) > > }); > > How can I effectively escape an entire form, without > > having to get the value and escape them individually? Is there a > > command I'm missing? > > That's not quite what your code is doing; you're sending the form > fields as a JSON-encoded string in a parameter called "json". If you > just want to send the form fields, and you don't need them to arrive > at the other end as a JSON string, there's a *much* shorter way: > Form#request[2]. Assuming that your form element has the > saveBooking.php as its action attribute: > > $('busCalForm').request({ > parameters: { > year: year, > recnum: busmstr_id > }, > onSuccess: busCal.gotEntry.bind(this), > onFailure: busCal.gotFailure.bind(this) > > }); > > The form fields will no longer be JSON-ified (but will be properly URL- > encoded), they'll arrive as individual parameters on the request. If > the form field doesn't have saveBooking.php as its action and you > can't change that, the Ajax.Request can still be simplified: > > params = $('busCalForm').serialize(true); > params.year = year; > params.recnum = busmstr_id; > new Ajax.Request( > "modules/buscal/processes/saveBooking.php", { > parameters: params, > onSuccess: busCal.gotEntry.bind(this), > onFailure: busCal.gotFailure.bind(this) > > }); > > [1]https://developer.mozilla.org/en/Core_JavaScript_1.5_Reference/Global... > [2]http://prototypejs.org/api/form/request > > HTH, > -- > T.J. Crowder > tj / crowder software / com > Independent Software Engineer, consulting services available > > On Jul 30, 8:27 pm, infringer wrote: > > > > > I have a form, I've been doing this in javascript: > > > entry = $('busCalForm').serialize(true); > > entry = JSON.stringify(entry); > > new Ajax.Request("modules/buscal/processes/saveBooking.php", { > > parameters: "year=" + year + "&recnum=" + busmstr_id + "&json=" + > > entry, > > onSuccess: busCal.gotEntry.bind(this), > > onFailure: busCal.gotFailure.bind(this) > > }); > > > But i have a user that has typed a # in one of the fields, and the > > script dies. How can I effectively escape an entire form, without > > having to get the value and escape them individually? Is there a > > command I'm missing? > > > -David --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Prototype & script.aculo.us" group. To post to this group, send email to prototype-scriptaculous@googlegroups.com To unsubscribe from this group, send email to prototype-scriptaculous+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/prototype-scriptaculous?hl=en -~--~~~~--~~--~--~---
[Proto-Scripty] Re: Escaping Input
Hi, You're sending an unencoded string (which happens to be in JSON format) as part of your parameters string, which is meant to be URL- encoded data. A # sign is the least of your problems. ;-) You'll want to encode that with JavaScript's encodeURIComponent function[1]. Somewhat OT, but as of 1.6 (at least), the preferred way to provide options to Ajax.Request is as an object. If you give it a string, that string will be converted to an object, and then later converted back into a string. Yes, really. :-) Also, String has a toJSON function you can use instead of JSON.stringify (not that it matters). So: entry = encodeURIComponent($('busCalForm').serialize(true).toJSON()); new Ajax.Request( "modules/buscal/processes/saveBooking.php", { parameters: { year: year, recnum: busmstr_id, json: entry }, onSuccess: busCal.gotEntry.bind(this), onFailure: busCal.gotFailure.bind(this) }); > How can I effectively escape an entire form, without > having to get the value and escape them individually? Is there a > command I'm missing? That's not quite what your code is doing; you're sending the form fields as a JSON-encoded string in a parameter called "json". If you just want to send the form fields, and you don't need them to arrive at the other end as a JSON string, there's a *much* shorter way: Form#request[2]. Assuming that your form element has the saveBooking.php as its action attribute: $('busCalForm').request({ parameters: { year: year, recnum: busmstr_id }, onSuccess: busCal.gotEntry.bind(this), onFailure: busCal.gotFailure.bind(this) }); The form fields will no longer be JSON-ified (but will be properly URL- encoded), they'll arrive as individual parameters on the request. If the form field doesn't have saveBooking.php as its action and you can't change that, the Ajax.Request can still be simplified: params = $('busCalForm').serialize(true); params.year = year; params.recnum = busmstr_id; new Ajax.Request( "modules/buscal/processes/saveBooking.php", { parameters: params, onSuccess: busCal.gotEntry.bind(this), onFailure: busCal.gotFailure.bind(this) }); [1] https://developer.mozilla.org/en/Core_JavaScript_1.5_Reference/Global_Functions/encodeURIComponent [2] http://prototypejs.org/api/form/request HTH, -- T.J. Crowder tj / crowder software / com Independent Software Engineer, consulting services available On Jul 30, 8:27 pm, infringer wrote: > I have a form, I've been doing this in javascript: > > entry = $('busCalForm').serialize(true); > entry = JSON.stringify(entry); > new Ajax.Request("modules/buscal/processes/saveBooking.php", { > parameters: "year=" + year + "&recnum=" + busmstr_id + "&json=" + > entry, > onSuccess: busCal.gotEntry.bind(this), > onFailure: busCal.gotFailure.bind(this) > }); > > But i have a user that has typed a # in one of the fields, and the > script dies. How can I effectively escape an entire form, without > having to get the value and escape them individually? Is there a > command I'm missing? > > -David --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups "Prototype & script.aculo.us" group. To post to this group, send email to prototype-scriptaculous@googlegroups.com To unsubscribe from this group, send email to prototype-scriptaculous+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/prototype-scriptaculous?hl=en -~--~~~~--~~--~--~---