escape urldecode unescape confusion_问答_开发者

I've got a TinyMCE editor - the contents of which need to be uploaded by AJAX.

Obviously because of the AJAX sending the parameters, they need to be escaped via javascripts escape() function, this is so it doesn't break the AJAX parameters. The fields are mysql_real_escape_string'ed at the PHP side, I only need the escape for the AJAX parameters.

Unfortunately, when I add links and images into the editor and then submit, the URLs to the images and links appear like this:

http://localhost:8888/%22../img/miscimages/hwo-american.gif/%22

On the page where the contents are displayed to the user (the product view page), the string from the database is run through urldecode() to get rid of all the %22 and other escaped characters. There is no javascript on this page, it's all generated with PHP, hence the urldecode() and not unescape(). Is there any way around this?

CODE:

AJAX Send

function update(){
    if (window.XMLHttpRequest)
    {// code for IE7+, Firefox, Chrome, Opera, Safari
        xmlhttp=new XMLHttpRequest();
    }else{// code for IE6, IE5
        xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
    }

    xmlhttp.onreadystatechange=function()
    {
        if (xmlhttp.readyState==4 && xmlhttp.status==200)
        {
            var response = xmlhttp.responseText;
            alert(response);
            window.location = 'admin-products.php';
        }
    }
    var prodID=document.getElementById("editchoice").value;
    var edittitle=escape(document.getElementById("editname").value);
    var editcategory=document.getElementById("editcat").value;
    var editcontent = escape(tinyMCE.get('editcontent').getContent());
    var parameters= "prodID="+prodID+"&title="+edittitle+"&content="+editcontent+"&cat="+editcategory;
    xmlhttp.open("POST", "../scr/editProduct.php", true);
    xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    xmlhttp.send(parameters);
}

PHP Database Insert

$prodID = $_POST['prodID'];
$title = urldecode(mysql_escape_string($_POST['title']));
$content = urldecode(mysql_escape_string($_POST['content']));
$category = $_POST['cat'];

echo $prodID . $title . $content . $category;

mysql_query("UPDATE product SET title='$title', content='$content', category_id='$category' WHERE id='$prodID'") or die("ERROR: ".mysql_error());

PHP Display on Page

/* Get Product from Alias */
$alias = $_GET['n开发者_运维问答ame'];
$product_selectProd = mysql_query("SELECT * FROM product WHERE alias='$alias'") or die("ERROR: ". mysql_error());

/* Sort Query Vars */
while($product_arrayProd = mysql_fetch_array($product_selectProd)){
    $product_category = $product_arrayProd['category_id'];
    $product_title = urldecode($product_arrayProd['title']);
    $product_text = urldecode($product_arrayProd['content']);
    $product_image = $product_arrayProd['main_image'];
    $product_sub_image = $product_arrayProd['sub_image'];

    /* Build the Product List */
    $productDetail .= "<img src='$product_image' width='350' height='240' class='prod_image_left' /><img src='$category_image' width='350' height='240' class='prod_image_right' />";
    $productDetail .= "<p>&nbsp;</p><h1>Fiddes $product_title</h1><hr />";
    $productDetail .= "$product_text";
}

From MDC: https://developer.mozilla.org/en/Core_JavaScript_1.5_Guide/Functions#escape_and_unescape_Functions

The escape and unescape functions do not work properly for non-ASCII characters and have been deprecated. In JavaScript 1.5 and later, use encodeURI, decodeURI, encodeURIComponent, and decodeURIComponent.

So don't use escape, it's deprecated :)

just a note on your database insert.

you shouldn't use urldecode for the database insert. urlancodes has nothing to do with databases. for the insert only database-related functions should be used.
Do it somewhere else, not a the time when data being inserted to database. mysql_real_escape_string should be the very last thing applied to the data before insert. Or you broke everything (as you do at the moment)
a minor issue. it's slightly better to use mysql_real_escape_string instead of mysql_escape_string. For some odd encodings it will cover your backs.
Most terrible thing. You're not sanitizing numbers. So, your code is open to sql injection attack. You have to either
- escape it the same way as strings, as you already quoting it
- or cast it to prober type, using intval() function for example
- or get rid of all escaping quoting and casting and use prepared statements to bind variables. (it will require major code changes)

Same for alias variable and, I suppose, all other dynamic queries in your site. You ought to fix it as soon as possible.

It seemed the answer lay in TinyMCE, I was mysql_real_escape_stringing the string but TinyMCE does that already for you by default, so when php was unescaping these characters, it was only escaping one instance of it, instead of all instances of it.