括号传递的URL突破codigniter查询 [英] Parentheses passed in url break codigniter query

查看:198
本文介绍了括号传递的URL突破codigniter查询的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个字符串通过一个URL到codeigniter驱动的网站传递。该字符串urlen $ C $光盘被传递之前,然后urlde $ C $光盘由控制器被传递到在搜索串中一个数据库表中的模型的函数之前。我读过有关这几款其他职位/文章,但没有提供一个可行的(对我来说)解决这一问题。下面是一些我看过的事情:

I have a string being passed via an URL to a Codeigniter driven site. The string is urlencoded before being passed, then urldecoded by the controller before being passed to a function in the model that searches for the string in a database table. I've read several other posts/articles on this, but none offer a viable (for me) solution to the issue. Here are some of the things I have read:

<一个href="http://stackoverflow.com/questions/14466096/url-having-parentheses-not-working-in-$c$cigniter-with-datamapper-orm">URL有括号不工作在codeigniter与DataMapper的ORM

<一个href="http://stackoverflow.com/questions/17445869/parenthesis-issue-in-$c$cigniter-url/17445904#17445904">Parenthesis问题codeigniter网址

<一个href="http://stackoverflow.com/questions/12150319/php-rawurlde$c$c-doesnt-produce-same-string-passed-to-rawurlen$c$c">php rawurlde code不会产生相同的字符串传递给rawurlen code

<一个href="http://qubitlogs.com/PHP/2013/01/24/parentheses-in-urls-not-working-$c$cigniter-datamapper-orm/#.U0MtAce7mxa" rel="nofollow">http://qubitlogs.com/PHP/2013/01/24/parentheses-in-urls-not-working-$c$cigniter-datamapper-orm/#.U0MtAce7mxa

和这里发生了什么:

这是URL连接codeD字符串获取通过传递的url,像这样:

An url encoded string gets passed via an url, like so:

http://www.awebsite.com/controllername/functionname/test%28string%29

该控制器处理这个像这样:

The controller handles this like so:

public function functionname($string) {
    $this->load->model("codeigniter_model");
    $dstring = urldecode($string);
    $validString = $this->codeigniter_model->valid_string($dstring);        
    if (!$validString) { 
        $thiserror =  "<br>Error: Invalid String. (".$dstring.")"; 
        echo $thiserror; 
        exit;
    }
}

和模型:

function valid_string($string)
    {
    $sql = "select id from dbtable where dbfield = ?"; 
    $query = $this->db->query($sql, array($string));
    //Added this in to see what the query actually end up being
    echo $this->db->last_query();
        if ($query->num_rows() > 0) :
            return TRUE;
        else:
            return FALSE;       
        endif;
}

的呼应查询是正确的:从DBTABLE选择id其中dbfield ='测试(串),并在Navicat运行时返回正确的ID。然而 - codeigniter返回FALSE在查询

The echoed query is correct: select id from dbtable where dbfield = 'test(string)' and when run in Navicat returns the proper id. However - Codeigniter returns FALSE on the query.

我还检查了在字符串中查询得到呼应不包含HTML实体。

I have also checked that the string in the query getting echoed does NOT contain HTML entities.

我有超过字符串无法控制的传递和真正需要codeigniter接受(和)作为字符串的一部分。

I have no control over the string being passed and really need Codeigniter to accept ( and ) as part of the string.

思想,任何人吗?

编辑:当相同的字符串是通过从一种形式后传递到codeigniter控制器,它正常工作

When the same string is passed to the Codeigniter controller via a post from a form, it works properly.

编辑#2:刚才试着使用Active Record的方法创建查询,如下建议:不能添加另一个链接,以便:ellislab.com论坛viewthread 162036

EDIT #2: Just tried creating the query using the Active Record method as suggested here: CAN'T ADD ANOTHER LINK SO : ellislab.com forums viewthread 162036

本:

$this->db->select('id');
$this->db->where('dbfield', "'".$string."'", FALSE);
$query = $this->db->get('dbfield');

也不起作用。

does not work either.

编辑#3:感谢Kyslik使用探查建议。该字符串显然是HTML连接codeD毕竟:从用户选择id其中字符串='测试及放大器;#40;串放大器;#41;这当然将返回因为HTML实体的假。

EDIT #3: Thanks to Kyslik for suggesting using profiler. The string is apparently being html encoded after all: select id from users where string = 'test&#40;string&#41;' which, of course WOULD return false because of the HTML entities.

不幸的是,增加code同时使用常规查询和活动记录查询中删除这些实体:

Unfortunately, adding code to remove those entities using both a regular query and an active record query:

$ SQL =选择DBTABLE id其中dbfield =?; $查询= $这个 - &GT; DB-&GT;查询($的SQL,阵列(htmlspecialchars_de code($字符串)));

$sql = "select id from dbtable where dbfield = ?"; $query = $this->db->query($sql, array(htmlspecialchars_decode($string)));

$这个 - &GT; DB-&GT;选择('身份证'); $这 - &GT; DB-化合物其中('dbfield','.htmlspecialchars_de code($字符串)。',FALSE); $查询= $这个 - &GT; DB-&GT;获得(DBTABLE');

$this->db->select('id'); $this->db->where('dbfield', "'".htmlspecialchars_decode ($string)."'", FALSE); $query = $this->db->get('dbtable');

仍然不能正常工作。

推荐答案

答案是htmlspecialchars_de code()不c中的实体(和)去$ C $。如果我添加此code到控制器传递的字符串(和AFTER URL解码)之前:

The answer is that htmlspecialchars_decode() does NOT decode the entities for ( and ). If I add this code to the controller before passing the string (and AFTER url decoding):

$ dstring中= str_replace函数(&放大器;#40;,(,$ dstring中); $ dstring中= str_replace函数(&放大器;#41;,),$ dstring中);

$dstring = str_replace("&#40;", "(", $dstring); $dstring = str_replace("&#41;", ")", $dstring);

然后一切正常,因为它应该。

Then everything works as it should.

这篇关于括号传递的URL突破codigniter查询的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
高性能数据库开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆