How does position of parameters in a Query string affect the page? - javascript

I have an application with most of the code written in javascript. I am encountering a strange problem. I have a query string and my app reads it to perform various actions. Yesterday I changed the ordering of the query string parameters and the application stopped working. If I put the original order back then it starts working. What could be the reason? I thought that the effect of ordering of parameters should not matter. But, apparently it does matter for some reason. I am still trying to dig out what can be the issue but wanted to know if any one here has encountered a similar problem?
Thanks.

A properly written application will find a given query parameter in any order and will not be order sensitive. It is possible though to have poorly written parsing code that would only find a given parameter at the beginning, at the end, or only if after some other parameter. Without seeing the code that parses the query parameters, we can't really say what problem it has, but it is possible to have poorly written code that is position-sensitive.
If you post the code that parses the query parameters and the query string that works and the one that doesn't, we could advise more specifically. You should also check to make sure that your query parameters don't have any characters in them that are supposed to be encoded that could be throwing things off.

I have seen that kind of problem when the developer used the query string, as is, as a key to a cached object. When the query string changed, the key was not the same and the cache mechanism was failing (due to another bug).

It should not be a problem. Something else causes the error. Or you have some dependencies on the location variable that contains the URL.

Related

# character became %40 after setting in a $.param

I am using angularJS in my project. One of the function in my controller is to check if the inputted email already exist in the database.If it exists, the system will notify the user that it is already been used. To do that, I have to use $http with $params. However, even if the inputted email already exist, no feedback is given by the system. So I checked what's the value being checked by alerting the $params.
$scope.pop=function(email){
$params=$.param({
'email':email
})
alert($params)
}
I found out that the # character in the email became %40. For example: I input d_unknown#yahoo.com, it became d_unknown%40yahoo.com.
I tried to check the original data by:
$scope.pop=function(email){
alert(email)
}
And it looks fine, nothing changes.
How can I solve this?
It's the server's job to turn the URL encoded email address back into its original value. So your JavaScript is working perfectly, there's nothing to do there. Your server code is what needs to be fixed.
And if the application on the server isn't even decoding parameters before it's running the query against the database, it makes me feel like you may have some security issues to fix as well. Make sure that your parameters are decoded and cleaned before they are used in SQL queries. You can read more on cleaning parameters and SQL injection here.
Well, it's not really a problem, as you can see from RFC 2936, section 2.4:
For original character sequences that contain non-ASCII characters,
however, the situation is more difficult. Internet protocols that
transmit octet sequences intended to represent character sequences
are expected to provide some way of identifying the charset used, if
there might be more than one [RFC2277]. However, there is currently
no provision within the generic URI syntax to accomplish this
identification. An individual URI scheme may require a single
charset, define a default charset, or provide a way to indicate the
charset used.
However, if you really want to do this, you could use the method decodeURIComponent() to decode this URL this way:
var email = "d_unknown%40yahoo.com";
console.log(decodeURIComponent(email));
That is beacause all special characters get encoded.
But you can decode the string before you use it with decodeURIComponent() (in js, but there are functions for php and all the others to)

Multiple sorting for fields not working on Parse cloud code

When multiple values are passed to descending function in Parse cloud code javascript API, the query is not sorted completely. It ignores the second sorting parameter field.
Example:
query.descending('createdAt, playCount');
The query is sorted with createdAt but playCount is ignored. The Parse forum says its a bug and they working on fixing it. I have tried the following but not successful.
query.ascending('-createdAt, -playCount');
Does anyone know a work around for this?
The only place on parse.com where I see anything about this here on their dormant q/a support.
If you read the small print in the comments there, it turned out that the acceptable format is very brittle, disallowing whitespace. Given that, try:
query.descending('createdAt,playCount'); // deleted the blank after the comma

How to encode/decode URL parameters in javascript?

Before anyone jumps in and says, "Oh!! that's a bad idea", I know it is.
I want to keep both the key and value in the query string to be not easily visible to the end user.
I have something like this google.com/?category=textile&user=user1
I need to make it unintelligible like this: google.com/?kasjdhfkashasdfsf32423
Is there any way to achieve this in javascript. I have already seen this
I have already seen this
and this.
but I don't think encoding will solve the problem. Also, this code is entirely in client side. I know that it is not secure but I just need this is a naive, weak defense.
Please help.
Edit
I apologize if my question was not clear earlier.
The URL google.com/?category=textile&user=user1 is being passed on from a different application.
The values passed in the query string directly controls what is being displayed to the user. As is, anyone with no technical knowledge can easily change the value and view the data corresponding to a different category or user. I need to make this unintelligible so that it is not obvious. If a user is a techie and figures out the encryption used, then it is fine. I need a stop-gap solution till we have a better architecture in place
You can use base64. Javascript has native functions to do that :
alert(btoa("category=textile&user=user1")); // ==> Y2F0ZWdvcnk9dGV4dGlsZSZ1c2VyPXVzZXIx
and to reverse it :
alert(atob("Y2F0ZWdvcnk9dGV4dGlsZSZ1c2VyPXVzZXIx")); // ==> category=textile&user=user1
Be careful to read the doc if you have unicode strings, it's a little different : https://developer.mozilla.org/en-US/docs/Web/API/Window.btoa
If you don't looking for serious strong crypto, you can use ROT13:
http://en.wikipedia.org/wiki/ROT13
This is enough for slightly obfuscate keys/values in the your URLs.

Unable to debug an encodded javascript?

I’m having some problems debugging an encoded javacscript. This script I’m referring to given in this link over here.
The encoding here is simple and it works by shifting the unicodes values to whatever Codekey was use during encoding. The code that does the decoding is given here in plain English below:-
<script language="javascript">
function dF(s){
var s1=unescape(s.substr(0,s.length-1)); var t='';
for(i=0;i<s1.length;i++)t+=String.fromCharCode(s1.charCodeAt(i)-s.substr(s.length- 1,1));
document.write(unescape(t));
}
</script>
I’m interested in knowing or understanding the values (e.g s1,t). Like for example when the value of i=0 what values would the following attributes / method would hold
s1.charCodeAt(i) and s.substr(s.length-1,1)
The reason I’m doing this is to understand as to how a CodeKey function really works. I don’t see anything in the code above which tells it to decode on the basis of codekey value. The only thing I can point in the encoding text is the last character which is set to 1 , 2 ,3 or 4 depending upon the codekey selected during encoding process. One can verify using the link I have given above.
However, to debug, I’m using firebug addon with the script running as localhost on my wamp server. I’m able to put a breakpoint on the js using firebug but I’m unable to retrieve any of the user defined parameters or functions I mentioned above.
I want to know under this context what would be best way to debug this encoded js.

Building a SQLite statement in JS and I'm not getting the full command I want

So, I'm building a SQLite statement in JS. The problem is that it appears that %" is turning into "undefined"+ escaping the next character. Here is the exact code:
The part of the sql statement that is messing up is this:
"and s.plainText like '%"+searchText+"%'";
There is more before that, but it all builds correctly. So, in the program if I enter the following as the searchText:
foo
Then when I output the built sql statement to the console, I'm getting the following:
and s.plainText like 'undefinedoo%'
So, it appares that the %" is turning into undefined and causing the first letter of the searchText to be escaped.
How can I build this part of the sql statement correctly? I have to use the " cause the statement contains '. and I have to use the % cause I need the wildcard to seach a string of text.
If by JS you mean JavaScript, then this is not what's happening. Here's the jsfiddle:
http://jsfiddle.net/Ka938/
Try it and you will see it's not a JS problem. The escaping is probably happening later in the process, when this gets to the server or something. Don't know the exact details to help there.
As a guess, if you are using PHP and (s)printf, then sending %f (where f is coming from foo example you used) is going to mean it expects a float - it would display an error, though.
As a side note, it seems that you are sending SQL from the client to the server. If so, it's probably a very bad idea to do this, especially if you are not doing any SQL escaping, as you are not per above. Take a look here:
http://en.wikipedia.org/wiki/SQL_injection
for basic details.
I'm not familiar with webOS, but check this SOq for something that looks to be handling SQL parameters correctly:
in webOS, I need a method that, using the input, will doe a sql select command and returns the restults as an array
Definitively worth doing some more investigation about how to do this properly in webOS - Google is your friend.
The Mojo.Log commands processes the string that you pass a little like the printf function in C. That is you can specify some placeholders that will be filled with the value of the passed parameters. An example is a thousand words so:
Mojo.Log.info("My string is '%s' and my number is '%f'", strData, numData);
will print
My string is 'aaa' and my number is '1'
if strData is 'aaa' and numData is 1.
So most likely your string is built correctly, but printing it will try to replace the %f from %foo% with a parameter. The parameter is never passed so it is undefined. You should see the correct output if you use something else rather than 'foo' to test (try 'bbb').
For more information check out the documentation for Mojo.Log.
PS That being said it's not a good practice to construct your SQL statements like that, so I don't recommend it. Easy to do, but hard to read and maintain later :)

Categories

Resources