Post escaped Javascript array and unescape it in PHP - javascript
I have some javascript code that gets the value of two html form input fields. I escaped the values to allow users to enter in special characters and then placed them into an array that is stringified and then posted.
$(document).ready(function() {
$("#submit").click(function() {
var BuilderName = escape($('[name=BuilderName]').val());
var OwnersName = escape($('[name=OwnersName]').val());
var arraydata = [BuilderName, OwnersName];
$.post("DCF_Update_Query.php", {
data: JSON.stringify(arraydata)
}, function() {
alert('Successful');
}).fail(function() {
alert('Failed');
});
});
});
In my PHP file I retrieve and decode the array and insert it into my database.
$data = json_decode($_POST['data']);
mysqli_query($conn,"INSERT INTO dcf (BuilderName, OwnersName)
VALUES ('$data[0]','$data[1]')");
My problem is that the escaped characters are entering in the database as %26, %27, etc.. How can I un-escape those characters and then re-escape them using mysqli_real_escape_string(). Also, I've heard that json_decode() automatically escapes special characters. If this is the case, then do I even need to escape them with mysqli_real_escape_string()? I'd greatly appreciate any help, Thanks!
You really, really, REALLY need a prepared statement here. No escaping needed
$prep = $conn->prepare("INSERT INTO dcf (BuilderName, OwnersName) VALUES (?, ?)");
$prep->bind_param('ss', $data[0], $data[1]);
$prep->execute();
Try passing the contents of your $data variable through the urldecode function:
$data = urldecode(json_decode($_POST['data']));
Related
How to insert alid JSON that contains single quotes into MySQL
My goal is simply to convert a JavaScript object to JSON and insert it into a MySQL row that stores the MySQL JSON data type. This process must happen as part of a large batch insert, so I cannot edit the data manually. When call JSON.stringify on the object, I get valid JSON, but, because the object contains song lyrics that often contain single quotes, when I try to run the SQL query, MySQL throws a parse error. This works fine const validJson = '{"foo": "bar", "buzz": 1}'; INSERT INTO table_name ( songid, json ) VALUES ( ${song.songid}, ${validJson} ); But, this doesn’t const validJsonWithASingleQuote = {"foo's": "bar", "buzz": 1}'; INSERT INTO table_name ( songid, json ) VALUES ( ${song.songid}, ${validJsonWithASingleQuote} ); I also tried using a prepared statement with no luck PREPARE myInsert FROM 'INSERT INTO table_name ( songid, json ) VALUES ( ?, ? )'; SET #a = ${song.songid}; SET #b = ${JSON.stringify(r)}; EXECUTE myInsert USING #a, #b; I should also mention, that the original JavaScript objects contain strings that have single quotes escaped with "\". The JSON.stringify method, decodes those backslashes. Unfortunately, all of the SO questions I have found on this topic either recommend escaping single quotes with "\" manually or they have gone unresolved. Is there a programatic way to accomplish this? Perhaps a JavaScript or MySQL method that would generate valid JSON and leave the "\'" sequences in?
I finally found my way to this answer: https://stackoverflow.com/a/49525488/1359529 Turns out the Node.js driver for mysql contains an escape method. So, something like this works: PREPARE myInsert FROM 'INSERT INTO table_name ( songid, json ) VALUES ( ?, ? )'; SET #a = ${song.songid}; SET #b = ${mysql.escape(JSON.stringify(sr))}; EXECUTE myInsert USING #a, #b;
This tripped me up for a couple of days! I'm using the package and was having trouble with a single quote as a prop value: { name: "Jade's Palace", } I struggled to escape the single quote for mysql and could not create "Jade's Palace" because JS uses \ as its escape char. The solution was a prepared statement with the escape method. const query = 'INSERT INTO Places(id, data) VALUES ?'; const params = results.data?.map((data: any) => [ data.id, { toSqlString: () => connection?.escape(JSON.stringify(data)) }, ]); await connection.query(query, [params]);
javascript equivalent of mysql char
I insert a byte array to mysql using CHAR(2,3,5) I wanted to directly insert the character string so I tried inserting the result of String.fromCharCode.apply(null, bytearray) But I'm not getting the same result. Anyone know what I'm doing wrong? Edit: Here is the array I'm trying on. I tried escaping with the methods at Making a javascript string sql friendly but the value inserted is not the same [255,216,255,224,0,16,74,70,73,70,0,1,1,1,0,96,0,96,0,0,255,219,0,67,0,8,6,6,7,6,5,8,7,7,7,9,9,8,10,12,20,13,12,11,11,12,25,18,19,15,20,29,26,31,30,29,26,28,28,32,36,46,39,32,34,44,35,28,28,40,55,41,44,48,49,52,52,52,31,39,57,61,56,50,60,46,51,52,50,255,219,0,67,1,9,9,9,12,11,12,24,13,13,24,50,33,28,33,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,50,255,192,0,17,8,0,102,0,242,3,1,34,0,2,17,1,3,17,1,255,196,0,31,0,0,1,5,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,2,3,4,5,6,7,8,9,10,11,255,196,0,181,16,0,2,1,3,3,2,4,3,5,5,4,4,0,0,1,125,1,2,3,0,4,17,5,18,33,49,65,6,19,81,97,7,34,113,20,50,129,145,161,8,35,66,177,193,21,82,209,240,36,51,98,114,130,9,10,22,23,24,25,26,37,38,39,40,41,42,52,53,54,55,56,57,58,67,68,69,70,71,72,73,74,83,84,85,86,87,88,89,90,99,100,101,102,103,104,105,106,115,116,117,118,119,120,121,122,131,132,133,134,135,136,137,138,146,147,148,149,150,151,152,153,154,162,163,164,165,166,167,168,169,170,178,179,180,181,182,183,184,185,186,194,195,196,197,198,199,200,201,202,210,211,212,213,214,215,216,217,218,225,226,227,228,229,230,231,232,233,234,241,242,243,244,245,246,247,248,249,250,255,196,0,31,1,0,3,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,1,2,3,4,5,6,7,8,9,10,11,255,196,0,181,17,0,2,1,2,4,4,3,4,7,5,4,4,0,1,2,119,0,1,2,3,17,4,5,33,49,6,18,65,81,7,97,113,19,34,50,129,8,20,66,145,161,177,193,9,35,51,82,240,21,98,114,209,10,22,36,52,225,37,241,23,24,25,26,38,39,40,41,42,53,54,55,56,57,58,67,68,69,70,71,72,73,74,83,84,85,86,87,88,89,90,99,100,101,102,103,104,105,106,115,116,117,118,119,120,121,122,130,131,132,133,134,135,136,137,138,146,147,148,149,150,151,152,153,154,162,163,164,165,166,167,168,169,170,178,179,180,181,182,183,184,185,186,194,195,196,197,198,199,200,201,202,210,211,212,213,214,215,216,217,218,226,227,228,229,230,231,232,233,234,242,243,244,245,246,247,248,249,250,255,218,0,12,3,1,0,2,17,3,17,0,63,0,247,250,40,162,128,10,40,162,128,10,40,162,128,10,42,148,58,149,141,197,228,246,112,94,219,203,117,6,60,232,18,85,103,143,61,55,40,57,31,141,93,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,243,207,0,248,187,83,241,31,139,124,105,167,94,180,70,223,73,191,16,91,4,76,16,187,229,94,79,127,245,96,254,38,189,14,128,10,40,162,128,10,40,162,128,10,40,162,128,10,40,162,128,10,40,162,128,10,40,162,128,10,40,162,128,10,40,162,128,10,40,162,128,10,40,170,247,55,48,89,219,73,115,117,52,112,195,18,238,121,36,96,170,163,212,147,210,128,62,87,211,117,75,173,51,246,135,158,91,89,74,180,254,32,150,214,64,122,52,114,78,81,129,31,67,199,161,0,246,175,172,43,231,79,132,246,86,126,37,248,193,226,79,16,45,186,220,216,67,44,247,22,210,200,188,163,203,54,99,108,30,251,3,245,233,245,175,160,231,18,52,18,8,164,242,228,101,33,28,174,237,167,28,28,119,250,80,5,138,42,165,162,92,69,105,10,93,76,179,220,42,42,203,40,143,96,145,128,229,130,228,237,4,243,140,156,85,186,0,40,162,138,0,40,162,138,0,40,170,211,220,67,105,109,45,205,196,139,20,16,161,146,71,99,128,170,6,73,62,192,87,155,234,95,30,252,17,98,232,182,243,223,106,27,179,184,218,219,16,19,235,230,20,253,51,64,25,63,5,174,225,212,60,105,241,18,246,217,183,193,113,168,164,177,183,170,180,151,4,31,200,215,179,215,201,255,0,9,117,207,23,105,82,234,182,190,17,208,161,212,238,46,140,38,103,152,31,46,16,130,76,2,119,40,5,183,28,101,191,132,224,26,246,175,10,107,31,19,46,245,200,225,241,63,134,180,219,61,49,149,183,207,4,203,189,8,31,46,0,149,243,147,129,208,122,230,128,61,26,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,43,230,31,11,199,227,239,24,105,250,198,165,166,120,195,84,26,222,157,114,187,244,183,153,227,70,13,146,48,75,132,7,42,227,97,92,124,189,121,160,15,166,93,214,36,46,236,21,84,101,153,142,0,30,166,188,35,197,26,237,199,197,255,0,22,218,248,71,195,151,51,199,161,66,75,223,222,170,157,146,129,200,36,119,80,70,23,61,88,231,176,53,207,106,126,60,248,145,227,86,159,194,54,182,150,223,104,230,59,175,236,193,146,235,247,72,121,119,178,5,57,228,130,7,108,246,174,131,64,180,248,191,225,143,13,38,135,163,248,79,76,182,137,3,98,224,205,19,76,89,142,75,146,102,218,91,234,184,192,3,28,80,5,255,0,131,145,89,120,127,196,191,17,45,214,68,182,176,176,189,72,149,166,147,11,28,105,37,194,140,177,246,3,147,93,126,139,241,107,195,58,255,0,139,7,135,244,215,187,150,225,247,136,167,242,128,138,82,170,88,237,57,207,69,60,144,7,21,226,250,63,129,188,73,175,252,66,215,124,39,170,235,107,103,53,202,46,163,170,180,11,189,102,108,171,129,180,109,4,134,159,253,208,115,140,224,87,75,174,71,225,191,135,63,27,124,46,193,87,78,210,109,52,182,50,56,70,115,185,190,208,187,155,0,179,18,72,25,231,242,20,1,239,146,203,29,188,77,44,210,44,113,160,203,59,176,1,71,169,38,184,125,47,226,199,134,117,159,25,31,13,89,75,59,221,23,100,142,227,98,249,18,178,130,72,86,221,147,208,224,227,7,177,228,87,207,223,20,252,108,254,44,241,101,217,177,212,174,46,52,56,202,125,146,54,220,137,194,0,205,176,227,146,219,185,35,56,165,208,124,37,170,120,123,197,30,6,212,181,40,146,8,245,93,78,7,182,140,182,95,98,203,17,220,195,176,33,198,57,207,92,129,64,30,219,241,223,88,187,210,190,29,108,180,144,198,111,175,35,182,145,215,33,130,109,119,56,35,212,160,31,66,106,166,187,227,185,60,51,240,159,195,113,218,59,220,107,250,174,153,109,21,178,110,221,32,102,137,65,148,247,56,39,143,86,35,222,184,15,139,58,246,177,227,91,205,98,43,91,53,139,69,240,173,201,138,225,252,223,153,228,119,242,131,21,207,63,50,182,48,56,4,228,243,93,23,193,159,11,220,107,215,22,254,52,215,85,38,75,104,18,199,75,137,211,133,16,170,160,144,118,227,105,3,253,173,199,131,138,0,185,240,33,181,65,171,248,198,203,88,187,158,123,203,91,152,99,155,205,152,201,137,1,153,95,146,78,121,81,207,176,175,109,175,31,248,65,255,0,37,15,226,111,253,133,71,254,141,184,172,143,137,190,55,190,241,70,177,23,129,188,31,114,175,36,187,197,236,203,42,162,182,209,184,160,114,70,2,133,98,199,191,79,80,64,58,143,132,94,57,186,241,222,139,170,38,174,99,146,242,218,227,14,137,16,84,242,100,31,32,247,229,100,31,64,51,93,99,88,120,119,193,186,109,254,179,107,164,233,246,9,4,13,36,207,107,109,28,76,202,163,59,114,160,103,167,79,90,241,159,128,23,31,217,222,55,241,38,129,20,144,221,66,208,249,130,234,34,118,191,147,38,192,87,253,150,18,147,248,10,191,241,175,197,55,186,174,160,254,12,209,188,169,97,134,213,175,181,7,71,228,121,74,242,24,219,176,1,84,55,185,42,61,136,5,255,0,217,199,76,72,60,47,171,234,185,97,37,213,226,193,130,56,219,26,2,8,252,101,97,248,87,171,77,175,105,118,250,237,190,139,45,236,73,169,92,198,210,195,108,79,204,234,51,146,63,35,249,31,67,92,159,193,63,249,36,58,31,253,188,127,232,249,43,135,109,126,223,95,253,168,116,150,181,120,228,130,198,222,75,69,150,54,220,28,136,38,118,63,131,59,47,252,6,128,61,151,88,215,116,191,15,217,139,189,86,246,43,75,118,145,98,18,74,120,44,122,15,208,254,70,181,43,193,63,104,191,17,219,181,166,155,225,168,128,121,196,191,109,159,158,99,1,89,16,126,59,152,254,3,214,189,191,79,190,135,83,211,45,53,11,99,186,11,168,82,104,207,170,176,4,126,134,128,41,107,190,33,210,252,55,167,127,104,107,23,169,107,108,28,70,29,129,57,99,208,0,1,36,240,122,14,198,175,217,94,218,234,86,80,222,89,207,28,246,211,32,120,229,141,178,172,15,112,107,196,117,155,91,255,0,140,95,16,245,29,21,223,236,90,15,135,100,146,25,74,182,93,230,59,144,54,59,146,200,113,232,160,247,53,119,225,86,175,168,120,91,197,55,95,14,117,195,33,16,25,31,74,145,161,216,36,64,206,204,71,114,24,101,135,92,97,134,123,80,7,181,209,69,120,86,187,123,226,79,31,252,64,214,116,237,15,196,23,58,6,143,160,70,209,220,92,71,51,160,105,65,108,150,218,71,86,86,28,156,0,132,245,224,128,123,173,21,228,191,3,181,239,18,120,139,64,191,155,90,187,251,85,173,188,169,5,164,239,131,35,16,9,112,199,171,1,148,193,60,242,121,175,90,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,14,103,197,158,51,209,188,23,167,165,222,179,59,168,148,149,134,40,163,220,242,17,201,0,116,252,73,2,188,1,252,61,227,111,26,93,235,158,37,240,182,145,45,150,151,174,74,209,201,110,46,82,51,50,100,18,199,121,25,5,134,73,29,216,129,198,107,233,107,189,47,79,212,140,38,250,194,214,232,192,251,226,51,194,175,229,183,170,228,112,125,197,95,160,15,2,240,174,157,241,91,193,186,88,177,210,60,15,162,162,177,13,44,210,76,141,36,173,234,199,237,31,160,0,14,194,183,127,225,33,248,229,255,0,66,110,135,255,0,127,151,255,0,146,43,216,40,160,15,33,248,125,225,255,0,25,127,194,205,213,252,91,226,157,38,218,192,222,216,8,49,4,200,202,92,24,128,192,14,196,124,177,243,147,214,189,39,82,240,246,137,172,60,111,169,104,250,125,243,198,54,163,93,91,36,165,71,160,44,14,43,86,138,0,228,225,248,119,224,251,125,100,106,144,248,114,198,59,160,0,93,177,98,53,199,66,35,251,128,251,129,154,243,111,218,15,80,155,73,213,188,23,169,91,237,243,237,39,158,120,247,12,141,200,208,48,207,226,43,221,107,231,47,137,190,33,211,60,105,241,83,195,62,30,136,173,198,159,105,123,29,189,196,136,120,118,150,84,89,20,31,64,20,12,250,230,128,52,124,23,240,250,109,123,224,198,172,240,222,183,246,167,137,93,101,121,46,179,180,121,51,146,185,192,39,230,195,18,220,253,225,233,207,173,248,47,195,241,248,91,193,250,102,140,175,230,27,88,177,35,231,33,164,98,89,200,246,44,205,143,108,86,204,16,197,109,4,112,195,26,199,28,106,21,17,87,1,64,224,0,59,10,177,64,30,39,47,194,175,26,69,226,205,122,235,73,241,76,26,94,155,172,94,181,204,207,110,95,237,0,110,118,81,128,7,77,236,56,113,154,196,147,224,15,136,236,239,230,143,75,215,172,26,206,226,17,12,243,79,27,44,219,73,5,192,80,172,6,72,236,192,144,72,39,4,231,232,122,40,3,196,46,190,14,107,122,6,179,166,106,126,3,212,236,180,249,224,179,16,79,45,211,57,51,75,200,105,54,149,117,195,2,62,94,128,129,138,191,164,124,62,190,240,183,195,223,25,92,106,207,5,246,189,169,218,93,180,151,22,251,156,178,152,155,10,9,80,114,88,146,112,57,200,244,175,96,162,128,62,102,240,54,161,226,239,22,248,82,195,193,126,27,63,217,214,22,145,202,53,13,65,135,93,242,59,109,7,168,225,128,192,228,243,200,21,216,207,240,22,11,89,116,251,157,3,196,151,122,85,229,172,6,57,46,99,136,179,202,231,118,92,21,117,41,144,197,112,51,192,3,215,62,209,69,0,120,31,140,126,24,105,94,11,248,93,175,95,188,243,234,122,196,203,8,146,250,224,114,51,113,30,118,47,59,115,220,146,79,191,56,173,93,43,227,39,133,52,79,135,90,117,188,55,198,231,86,179,210,225,136,90,136,37,25,153,99,85,218,88,174,220,110,28,156,244,233,154,245,219,171,75,107,235,73,45,174,173,226,184,183,148,109,146,41,144,58,56,244,32,240,69,100,197,224,207,11,65,34,75,15,134,180,104,228,67,149,116,176,136,21,62,160,133,226,128,60,255,0,225,189,180,158,18,240,182,189,227,191,19,220,172,45,172,50,223,205,26,166,54,46,231,43,199,247,152,203,192,247,90,206,240,197,197,215,138,252,119,31,196,221,126,75,125,27,69,178,141,173,172,5,204,138,158,106,144,234,50,204,64,255,0,150,140,115,220,240,58,26,245,111,18,120,126,211,197,58,5,214,139,126,210,139,91,165,80,230,22,10,227,107,6,4,18,8,200,42,59,87,1,109,251,62,120,58,11,152,228,150,231,87,184,68,108,152,101,157,2,184,244,59,80,54,62,132,80,6,175,138,62,47,248,115,67,138,40,244,201,211,92,191,159,136,109,180,249,86,65,158,219,153,115,143,160,201,246,175,21,240,238,149,107,226,223,21,120,145,188,77,226,56,188,51,109,45,247,159,123,97,44,226,38,158,67,36,132,160,222,192,101,14,225,146,14,55,14,57,175,160,180,31,135,62,19,240,198,161,246,237,31,70,75,123,173,165,4,173,44,146,21,7,174,55,177,199,212,85,61,71,225,63,130,117,109,74,227,80,189,208,196,151,23,50,25,37,117,185,153,55,49,228,156,43,129,201,244,20,1,147,63,143,124,7,240,243,195,86,246,58,45,229,189,236,113,130,176,90,105,243,172,238,204,78,73,102,4,129,146,122,147,244,7,165,114,90,134,129,227,175,140,115,91,75,170,91,71,225,237,14,38,47,12,114,134,105,27,56,249,138,100,22,62,132,237,24,39,21,233,154,55,195,63,7,120,119,81,91,253,47,67,138,43,165,31,36,143,44,146,148,247,93,236,112,125,199,53,216,80,7,15,240,231,225,250,120,3,78,187,182,93,78,107,249,46,164,14,238,201,229,162,227,56,10,153,56,60,156,156,243,199,165,119,20,81,64,5,20,81,64,5,20,81,64,5,20,81,64,5,20,81,64,5,20,81,64,5,20,81,64,30,65,241,63,226,59,219,221,79,224,141,2,9,229,215,239,10,91,52,129,112,145,9,87,248,78,115,191,12,189,176,51,156,228,87,39,174,120,50,219,193,26,223,194,253,57,22,41,47,31,84,47,119,114,137,131,43,249,182,255,0,142,20,28,15,166,122,147,93,63,195,40,142,163,241,115,226,6,177,117,35,73,117,107,117,246,40,201,60,121,70,71,0,99,216,65,24,31,67,79,248,247,157,59,77,240,207,137,96,63,233,90,102,168,190,82,158,135,112,243,57,252,97,95,206,128,61,134,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,2,138,40,160,15,28,240,156,98,195,246,142,241,133,141,169,49,218,203,100,183,50,70,15,13,35,121,12,91,235,153,31,254,250,52,159,180,76,139,255,0,8,54,155,6,225,231,62,168,140,137,252,76,4,82,2,64,250,176,252,197,63,198,126,26,241,141,135,197,11,127,23,120,51,75,183,187,105,44,188,171,165,154,117,85,119,229,126,96,93,73,27,124,178,48,122,167,231,14,135,224,207,23,248,171,199,176,248,151,199,214,240,90,199,96,1,181,176,138,69,120,203,129,193,1,93,176,1,249,142,78,73,192,233,64,30,207,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,1,69,20,80,7,255,217]
var field = [65, 66, 67] var result = String.fromCharCode.apply(null, field); console.log(result); Works. It get 'ABC' as a result. What's the problem?
Remove Backslash Escaping in Javascript Array
I have a pretty complex problem. I'm using PHP to parse a CSV file to an array and then var array = <?php echo json_encode( $array ) ?>; to pass it to the Javascript array. array is 2-dimensional, like so: var array = [["\/\\ssa","14104","26","2113","0","867","28083","15","43695"], ["Yee","8661","24","2215","0","991","25245","15","49086"],...] Now sometimes there seems to be a problem with backslash escapes in the username when it is structured like this: ["username\","sth","sth",...], so when the username ends with a backslash \ . The output will be: username", sth, sth, ... But this is only the first element of the sub-array, the other 8 places are empty. I have already tried to fix it with a loop replace, but I don't know how to add \" as search value. Is this impossible to do in JS since \" always escapes? Already tried charAt() to compare the last character with the backslash, but no success. Do I have to replace it before passing it to JS, in PHP? The Parse function is this, if it's important: <?php> $url = "data.csv"; $csvData = file_get_contents($url); $lines = explode(PHP_EOL, $csvData); $array = array(); foreach ($lines as $line) { $array[] = str_getcsv($line); ?> Here a JSfiddle you can play with: https://jsfiddle.net/cLmbe0qf/
You just need to replace backslashes by an html special character : foreach ($lines as $line) { $line = str_replace("\\", "\", $line); // ... }
This is a little bit more tricky since you have to parse the javascript into an object/array. Anytime you do this, the backslash is parsed out. To avoid doing this you need to store the value in the HTML page or use String.raw to get the literal version of the string. One way to implement it is to put the the string in the html and get the value of a hidden textarea. (you could store it anywhere, i just chose textarea). You then pass it through this javascript function slashParse which will replace all slashes with ~{}~ then run the javascript parsing algorithm, then replace the ~{}~ back to the backslashes. function slashParse(target) { var value = document.getElementById(target).value; var replacedVal = value.replace(/\\/g, '~{}~'); var parsedVal = JSON.parse(replacedVal); var mappedVal = parsedVal.map(function(item) { return item.replace(/~{}~/g, '\\'); }); return mappedVal; } var parsed = slashParse('input'); console.log(parsed) document.getElementById("test").innerText = parsed; <body> <div id="test"></div> </body> <textarea style="display:none" id="input">["use\rna</textarea><textarea>me\\","2","3","4"]</textarea> What echoing it out onto the page might look like would be like this. <textarea style="display:none" id="php-part"> <?=json_encode(htmlentities($array,ENT_NOQUOTES))?> </textarea> This is only one solution of a few more. Another option is to do more parsing on the php side of things. The problem you will run into, is that at some point you need to run the string through the JavaScript parsing program. When that happens you cannot have any backslashes. Then after you run it through the parsing, you will have to convert all hidden backslashes back to backslashes. The one problem with this method is that if there is anywhere EVER where ~{}~ is being placed in the string, it will be converted to backslashes afterwards. Something you can do in order to make it more aloof is to make the string backslashes get turn into even more obfuscated. Such as ~{BACKSLASH_ESCAPE}~
How do I save special characters from a textfield ('+<>$") into a database, then retrieve them with PHP?
I have a textarea created for a personal message, with a subject. It is passed to a Javascript/jQuery function, which passes it to a PHP file to store in the database. However, when special characters such as the ampersand, less than, greater than, apostrophe, plus sign, and quotations are used, it doesn't store correctly in my database. So without saying, when I retrieve the data, the data is not displayed properly. Here is the HTML: <input id="pmsubject" placeholder="Subject"><br /> <textarea id="pmtext" placeholder="Send a private message"></textarea> <button id="pmBtn" onclick="postPm(pmsubject,pmtext)">Send</button> Here is the Javascript/jQuery (partial): function postPm(subject,textarea){ var data = $("#textarea").val(); var data2 = $("#subject").val(); I do some error checking and handling then send my information with AJAX: type: "POST", url: "pm_system.php", data:"data="+data+"&data2="+data2, So far so good right? Here is the pm_system.php portion where I store the code: $data = htmlentities($_POST['data']); $data = mysqli_real_escape_string($db_con, $data); $data2 = htmlentities($_POST['data2']); $data2 = mysqli_real_escape_string($db_con, $data2); $sql = "INSERT INTO pm(subject, message) VALUES('$data2','$data')"; $query = mysqli_query($db_con, $sql); mysqli_close($db_con); So if I write a message that says, I'm a big fan of cats + dogs & "sometimes" birds. My output would be: I\'m a big fan of cats dogs It always puts slashes in front of quotations and apostrophes, always replaces + sign with a space, and nothing follows after an ampersand sign. I've tried replacing the characters like this in Javascript: data = data.replace(/\"/g, '"'); //Just using one for example But that doesn't work either. How do I save these characters from a textarea in a database, unaltered?
I would guess, that the data you receive through your JavaScript function is already escaped. So when you enter I'm a big fan of cats dog you get I\'m a big fan of cats dogs in your PHP script. When you than use mysqli_real_escape() you are adding another escape character. So you might want to replace the escape character before: $data = stripslashes($_POST['data']); $data = mysqli_real_escape_string($db_con, $data); $data2 = stripslashes($_POST['data2']); $data2 = mysqli_real_escape_string($db_con, $data2); $sql = "INSERT INTO pm(subject, message) VALUES('$data2','$data')"; $query = mysqli_query($db_con, $sql); mysqli_close($db_con); I would not recommend to use htmlentities() but save the data "as is" into the database as otherwise things like full text searches don't work correctly. The issue with the + sign is probably because you send the values as a query string data:"data="+data+"&data2="+data2 and in a URL, a + sign is used for a space. To fix that, you should rather pass the data as an object: type: "POST", url: "pm_system.php", data: { "data": data, "data2": data2 }, That should fix also most of the other problematic characters.
I'd suggest trying htmlspecialchars() instead of htmlentities(). I've had some troubles with htmlentities() and outputting the data in the past. Using htmlspecialchars() solved it.
AJAX POST and Plus Sign ( + ) -- How to Encode?
I'm POSTing the contents of a form field via AJAX to a PHP script and using JavaScript to escape(field_contents). The problem is that any plus signs are being stripped out and replaced by spaces. How can I safely 'encode' the plus sign and then appropriately 'decode' it on the PHP side?
Use encodeURIComponent() in JS and in PHP you should receive the correct values. Note: When you access $_GET, $_POST or $_REQUEST in PHP, you are retrieving values that have already been decoded. Example: In your JS: // url encode your string var string = encodeURIComponent('+'); // "%2B" // send it to your server window.location = 'http://example.com/?string='+string; // http://example.com/?string=%2B On your server: echo $_GET['string']; // "+" It is only the raw HTTP request that contains the url encoded data. For a GET request you can retrieve this from the URI. $_SERVER['REQUEST_URI'] or $_SERVER['QUERY_STRING']. For a urlencoded POST, file_get_contents('php://stdin') NB: decode() only works for single byte encoded characters. It will not work for the full UTF-8 range. eg: text = "\u0100"; // Ā // incorrect escape(text); // %u0100 // correct encodeURIComponent(text); // "%C4%80" Note: "%C4%80" is equivalent to: escape('\xc4\x80') Which is the byte sequence (\xc4\x80) that represents Ā in UTF-8. So if you use encodeURIComponent() your server side must know that it is receiving UTF-8. Otherwise PHP will mangle the encoding.
In JavaScript try: encodeURIComponent() and in PHP: urldecode($_POST['field']);
The hexadecimal value you are looking for is %2B To get it automatically in PHP run your string through urlencode($stringVal). And then run it rhough urldecode($stringVal) to get it back. If you want the JavaScript to handle it, use escape( str ) Edit After #bobince's comment I did more reading and he is correct. Use encodeURIComponent(str) and decodeURIComponent(str). Escape will not convert the characters, only escape them with \'s
To make it more interesting and to hopefully enable less hair pulling for someone else. Using python, built dictionary for a device which we can use curl to configure. Problem: {"timezone":"+5"} //throws an error " 5" Solution: {"timezone":"%2B"+"5"} //Works So, in a nutshell: var = {"timezone":"%2B"+"5"} json = JSONEncoder().encode(var) subprocess.call(["curl",ipaddress,"-XPUT","-d","data="+json]) Thanks to this post!
If you have to do a curl in php, you should use urlencode() from PHP but individually! strPOST = "Item1=" . $Value1 . "&Item2=" . urlencode("+") If you do urlencode(strPOST), you will bring you another problem, you will have one Item1 and & will be change %xx value and be as one value, see down here the return! Example 1 $strPOST = "Item1=" . $Value1 . "&Item2=" . urlencode("+") will give Item1=Value1&Item2=%2B Example 2 $strPOST = urlencode("Item1=" . $Value1 . "&Item2=+") will give Item1%3DValue1%26Item2%3D%2B Example 1 is the good way to prepare string for POST in curl Example 2 show that the receptor will not see the equal and the ampersand to distinguish both value!
my problem was with the accents (á É ñ ) and the plus sign (+) when i to try to save javascript "code examples" to mysql: my solution (not the better way, but it works): javascript: function replaceAll( text, busca, reemplaza ){ while (text.toString().indexOf(busca) != -1) text = text.toString().replace(busca,reemplaza);return text; } function cleanCode(cod){ code = replaceAll(cod , "|", "{1}" ); // error | palos de explode en java code = replaceAll(code, "+", "{0}" ); // error con los signos mas return code; } function to save: function save(pid,code){ code = cleanCode(code); // fix sign + and | code = escape(code); // fix accents var url = 'editor.php'; var variables = 'op=save'; var myData = variables +'&code='+ code +'&pid='+ pid +'&newdate=' +(new Date()).getTime(); var result = null; $.ajax({ datatype : "html", data: myData, url: url, success : function(result) { alert(result); // result ok }, }); } // end function function in php: <?php function save($pid,$code){ $code= preg_replace("[\{1\}]","|",$code); $code= preg_replace("[\{0\}]","+",$code); mysql_query("update table set code= '" . mysql_real_escape_string($code) . "' where pid='$pid'"); } ?>