传递“("和“)"通过 URI 导致 403 错误,我该如何对其进行编码?

2022-01-15 00:00:00 encode xmlhttprequest javascript

(用于 XML HTTP 请求的 JavaScript 和用于执行 SQL 查询的 PHP.)

我正在构建一个执行查询的网络应用程序.它使用 XMLHTTP 请求 GET 方法并将查询传递给执行它的 PHP 脚本.在我在其中引入括号 ( ) 之前,它工作正常.

这是一个如何工作的例子:

函数执行Qry(){qry = document.getElementByID('textarea').value;qryHTTPRequest(encodeURI(qry));//我也试过 encodeURIComponent(qry);}函数 xmlHTTPRequest(qry){//获取urlFetch = "http://my.url.com/script.php?qry=" + qry;}

这是一个快速参考,我知道我的 xmlhttp 请求可以正常工作,因为它可以完成在传递其他查询时需要执行的操作,例如:

SELECT * FROM `tableName`

工作正常,但是当你尝试做类似的事情时

创建表`new_table`AS(选择 * FROM `old_table`)

然后这是它无法执行的时候,我收到 403 错误,所以我认为它与 () 相关,因为我什至在 PHP 本身上尝试了相同的代码,而不必通过它并且它起作用了,所以URL编码过程一定有问题吗?如果这是问题,是否有编码这些字符的方法?我假设还有其他字符没有使用 encodeURI() 方法以及 encodeURIComponent() 进行编码.提前致谢!

解决方案

下面应该这样做:

urlFetch = "http://my.url.com/script.php?qry=" + encodeURIComponent(qry).replace(/(/g, "%28").replace(/)/g, "%29");

括号在 URI 语法中很奇怪.许多编码器将它们视为特殊的,即使它们仅出现在过时标记"产生中.使用常见的 Web 协议(httphttpsmailto)可以安全地将它们编码为 %28%29 虽然允许 Web 服务器为它们分配特殊含义.您已经在使用 encodeURIencodeURIComponent 所以您已经假设 URL 转义序列是 UTF-8.

来自 RFC 3986:

<块引用>

子分隔符!"/$"/&"/'"/("/)"/*"/+"/,"/;"/="

...

过时的规则翻译标记              "-"/"_"/"."/!"/~"/*"/'"/"("/")"

(JavaScript for the XML HTTP request and PHP for the execution SQL query.)

I'm building a web app that executes queries. It uses the XMLHTTP request GET method and passes a query to a PHP script that executes it. It works fine until I introduce parentheses ( ) in it.

Here is an example of how works:

function executeQry(){
qry = document.getElementByID('textarea').value;
qryHTTPRequest(encodeURI(qry));
//I've also tried encodeURIComponent(qry);
}


function xmlHTTPRequest(qry){
//fetches 
urlFetch = "http://my.url.com/script.php?qry=" + qry;
 }

this is a quick reference, I know that my xmlhttp request works fine because it does what it needs to do when other queries are passed through for example:

SELECT * FROM `tableName`

works fine, but when you try to do something like

CREATE TABLE `new_table`
AS (SELECT * FROM `old_table`)

Then this is when it won't execute, I get the 403 error so I figured that it's an with the () because I even tried this same code on the PHP itself, without having to pass it through and it worked, so there must be an issue with the URL encoding process right? If this is the issue, is there a method for encoding these characters? I assume there are other characters that don't get encoded with encodeURI() method as well as the encodeURIComponent(). Thanks in advance!

解决方案

The below should do it:

urlFetch = "http://my.url.com/script.php?qry=" + encodeURIComponent(qry)
    .replace(/(/g, "%28").replace(/)/g, "%29");

Parentheses are oddballs in the URI grammar. Many encoders treat them as special even though they only appear in the obsolete "mark" production. With common web protocols (http, https, mailto) it is safe to encode them to %28 and %29 though web servers are allowed to assign special meanings to them. You are already using encodeURI or encodeURIComponent so you are already assuming that URL escape sequences are UTF-8.

From RFC 3986:

sub-delims    "!" / "$" / "&" / "'" / "(" / ")"
            / "*" / "+" / "," / ";" / "="

...

obsolete rule     translation
mark              "-" / "_" / "." / "!" / "~" / "*" / "'"
                / "(" / ")"

相关文章