棘手的错误 [英] Tricky Error

问题描述

美好的一天，

好​​的，我有一个非常棘手的问题，我需要一些帮助。


我传递搜索查询信息公平金额（特别是

WHERE陈述）。通常，我只是rawurlencode（）的buggers，并且

通过URL传递它们。我喜欢在URL中有where子句，

因为那时有人可以将URL加入书签，或者将其发送给朋友，

我不需要担心一件事。


如果有人进行了需要LIKE语句的搜索，系统

会解析这些条款，并生成LIKE语句，并且将

LIKE语句传递给搜索结果页面。这很好用。


几乎所有的时间。


这里出现问题所在：

如果您搜索NUMBER，并且系统使用LIKE语句，则

字符串如下所示：


数据LIKE（''％415％ ''）


哪个好极了...当我对它进行rawurlencode时，我得到：


LIKE％28％27％25415％25 ％27％29


仔细观察：

％25 =％

％27 =''

％28 =（

％29 =）


这是伟大的......一切都有意义。


不幸的是，当我对该URL进行rawurldecode时，我得到：

LIKE（'''％'''）


似乎是将％25解释为％，然后使用％

接下来的两个数字...想法？


~D

解决方案

dr ******* *@gmail.com 写道：

好所有的一切，
好的，我有一个非常棘手的问题，我需要一些帮助。

我传递相当数量的搜索查询信息（特别是
WHERE语句）。通常，我只是rawurlencode（）的buggers，并通过URL传递它们。我喜欢在URL中使用where子句，
因为那时有人可以将URL加入书签，或将其发送给朋友，
我不必担心一件事。

1.你应该对SQL注入做一些阅读。并非常小心地花费
。在您的请求中使用SQL（即使您正在解析它）

正在玩火。

2.您可以完成整个可收藏的URL。没有

的东西把你的SQL放在URL上。


这是一种方法。将脚本创建的SQL语句从搜索查询缓存到文件系统。一个简单的方法是使用构造的SQL语句来构造一个文件，使用该md5（）值创建一个文件，然后将SQL语句放入文件中。然后，将查询= md5string放在

你的网址上。当该参数存在时，检查文件系统中是否有适当的缓存查询并将其拉入，使用它而不是

默认值。下面是快速的样本片段。


--------------

sql =" ; SELECT * FROM table" ;;

cached_filename = md5（

Good day all,
Ok, I have a pretty tricky problem that I need some help with.

I pass around search query information a fair amount (specifically
WHERE statements). Normally, I just rawurlencode() the buggers, and
pass them via the URL. I like having the where clauses in the URL,
because then someone can just bookmark the URL, or send it to a friend,
and I don''t have to worry about a thing.

If someone does a search that requires a LIKE statement, the system
parses out the terms, and generates the LIKE statement, and passes the
LIKE statement to the search results page. This works great.

Almost all of the time.

Here''s where the problem occurs:
If you search for a NUMBER, and the system uses a LIKE statement, the
string looks like this:

data LIKE(''%415%'')

Which is great... When I rawurlencode it, I get:

LIKE%28%27%25415%25%27%29

Looking at it more closely:
%25 = %
%27 = ''
%28 = (
%29 = )

Which is GREAT... all that makes sense.

Unfortunately, when I rawurldecode that URL, I get:
LIKE(''A5%'')

It appears to be interpreting the %25 as a %, and then using that % on
the next two numbers... Ideas?

~D

解决方案

dr********@gmail.com wrote:

Good day all,
Ok, I have a pretty tricky problem that I need some help with.

I pass around search query information a fair amount (specifically
WHERE statements). Normally, I just rawurlencode() the buggers, and
pass them via the URL. I like having the where clauses in the URL,
because then someone can just bookmark the URL, or send it to a friend,
and I don''t have to worry about a thing.

1. You should probably do some reading on "SQL injection" and tread
very carefully. Having SQL in your request (even if you''re parsing it)
is playing with fire.
2. You can accomplish the whole "bookmarkable URL" thing without
putting your SQL right on the URL.

Here''s a way to do it. Cache the SQL statements that your script creates
from the search query to the filesystem. An easy way to do that is to
md5() the constructed SQL statement, create a file with that md5() value
and put the SQL statement into the file. Then, put query=md5string on
your URL''s. When that parameter is present, check the filesystem for the
appropriate cached query and pull it in, using it instead of your
defaults. Quick sample snippets are below.

--------------

sql = "SELECT * FROM table";

cached_filename = md5(

这篇关于棘手的错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！