[sclug] URL encoding/decoding question
Roland Turner SCLUG
raz.fpyht.bet.hx at raz.cx
Sun Feb 19 20:07:26 UTC 2006
On Sun, 2006-02-19 at 18:15 +0000, ed wrote:
> executeQuery( page.toString().replaceAll( "'", "\\''" );
>
> Should do the trick, all you need to do is reaplce all the ' characters
> with \', then SQL should ignore it, and just insert. To the best of my
> knowledge that worked fine when I stored a few thousand binaries in db
> rows.
(shudder)
This is wasteful, ugly and not portable. You _REALLY_ shouldn't allow
any data coming from a potentially hostile web-browser (which is pretty
much all of them) to go anywhere near a SQL parser (nor in fact a parser
for any other language)[1].
All SQL statements used in web apps should be parametric. Needless to
say, the existence of SQL injection vulnerabilities in hundreds
(probably thousands) of web-apps demonstrates that many developers don't
adhere to this practice.
> > 2. For some reason when I try to encode the " % " characters (space%
> > space), I get an encoded value of "+%25+" in the database but when I
> > try to decode this value, I get:
>
> With URL encoding, spaces become + and % becomes a hex reference,
> confusingly hex characters are represented with a leading '%', so a
> % is 37 in decimal, 25 in hex, so it would be represented as '%25'.
It occurs to me that, perhaps the reason Pieter is getting the
"incomplete escape" message is that he's double-decoding:
"+%25+" -> " % "
" % " -> ERROR
Pieter?
(Oh, another question for Pieter: why are you writing your own web-based
HTML editor rather than using, e.g. FCK?)
- Raz
1: OK, I'm overstating a bit, particularly since Pieter's objective is a
web-based HTML editor (so the form content from the browser will
eventually be presented to a browser as HTML that is to be interpreted),
but it's still sound practice to keep the exposure to a minimum.
More information about the Sclug
mailing list