JQuery AJAX + C CGI
[英]JQuery AJAX + C CGI
问题描述
Could someone please explain to me how to use JQuery AJAX with C CGI. 
有人可以向我解释如何使用C CGI的JQuery AJAX。
How I am going to initialize the header? 我将如何初始化标题?
This is a snippet of my js code: 这是我的js代码的片段:
$.ajax({
type: "post",
url: "check_username.cgi",
data: username,
function(exists){
if(exists) $("#username").after("<p>Username" + username + "is not available.</p>");
}
});
Here is a snippet from my c code that is compiled successfully: 这是我的c代码成功编译的代码片段:
printf("Content-type:text/html; charset=UTF-8\n\n"); \\I am having problem with this line.
int size, exists;
int length = (int) atoi(getenv("CONTENT_LENGTH"));
char username[length], query[128] = "select username from users where username = ";
fgets(username, length, stdin);
MYSQL *conn = mysql_init(NULL);
mysql_real_connect(conn, server, user, password, database, 0, NULL, 0);
strcat(query, username);
strcat(query, ";");
exists = (int) mysql_num_rows((MYSQL_RES *)mysql_query(conn, query));
mysql_close(conn);
if(exists) return 1;
else return 0;
After testing in my browser, here what returns in my console: 在我的浏览器中测试后,在我的控制台中返回的是:
Please, don't answer if you're just going to tell me use python or perl. 如果你只是想告诉我使用python或perl,请不要回答。
2 个解决方案
解决方案1
1 已采纳 2016-10-16 04:43:46
C is an extremely awkward language for web programming. C是一种非常笨拙的Web编程语言。
As you've requested, I will not tell you to use another language, but I will tell you that C is an extremely poor choice -- especially if you try to use only the standard library -- and you should reconsider this choice. 正如您所要求的,我不会告诉您使用其他语言,但我会告诉您C是一个非常糟糕的选择 - 特别是如果您尝试仅使用标准库 - 您应该重新考虑这个选择。 It is extremely easy to introduce security vulnerabilities in a C application, and in fact you have several rather serious ones in the short code sample you've provided which could have been easily avoided in another language. 在C应用程序中引入安全漏洞非常容易,实际上在您提供的短代码示例中有几个相当严重的漏洞可能很容易在另一种语言中避免。
printf("Content-type:text/html; charset=UTF-8\n\n");
A Content-Type of text/html is not appropriate for JSON output. Content-Type of text/html不适合JSON输出。 Use application/json . 使用application/json 。 (This is not a security issue, but it's worth noting.) (这不是安全问题,但值得注意。)
Printing headers all at once here also makes it impossible for you to return a HTTP error from your script later. 此处一次打印标题也使您无法在以后从脚本中返回HTTP错误。 It's typically best to defer headers until your response is ready. 通常最好推迟标头,直到您的响应准备就绪。
int length = (int) atoi(getenv("CONTENT_LENGTH"));
char username[length];
You are assuming that the query will have a CONTENT_LENGTH header. 您假设查询将具有CONTENT_LENGTH标头。 It may not. 它可能不会。 Never make assumptions about the presence or validity of HTTP headers. 永远不要假设HTTP标头的存在或有效性。
You are also assuming that the value of the CONTENT_LENGTH header will be a reasonable length to allocate on the stack. 您还假设CONTENT_LENGTH标头的值将是在堆栈上分配的合理长度。 It may not be. 它可能不是。
Avoid allocating variable-length data on the stack. 避免在堆栈上分配可变长度数据。 While it's a handy extension, it can go very wrong very easily. 虽然这是一个方便的扩展,但它很容易出错。
fgets(username, length, stdin);
You are assuming that the script will always receive POST data on standard input. 您假设脚本将始终在标准输入上接收POST数据。 This is not the case. 不是这种情况。 A GET or HEAD request to your script will have no content. 对脚本的GET或HEAD请求将没有内容。 (Remember what I said about assumptions earlier?) (还记得我之前对假设所说的话吗?)
You are also assuming that the input to the script will be the value of username . 您还假设脚本的输入将是username的值。 It is not. 它不是。 It will probably be in either application/x-www-form-urlencoded format ( foo=abc&bar=def ) or multipart/form-data format (more complicated, multiple lines). 它可能是application/x-www-form-urlencoded格式( foo=abc&bar=def )或multipart/form-data格式(更复杂,多行)。 You don't necessarily need to handle both here, but you need to at least check that the input is in the format you're expecting, parse it appropriately if it is, and return an error if it isn't. 你不一定需要在这里处理两者,但是你需要至少检查输入是否是你期望的格式,如果是,则解析它,如果不是则返回错误。
char query[128] = "select username from users where username = ";
…
strcat(query, username);
strcat(query, ";");
You are not quoting username . 您没有引用username 。 This makes the query fail, because most usernames will not be valid as literals in the SQL query here. 这使得查询失败,因为大多数用户名在此查询中不会作为SQL查询中的文字有效。
Not only that, but you are also concatenating user input to a SQL query without performing any form of escaping. 不仅如此,您还可以将用户输入连接到SQL查询,而无需执行任何形式的转义。 This makes your application vulnerable to SQL injection. 这使您的应用程序容易受到SQL注入攻击。 SQL metacharacters in username will be interpreted as part of the query. username SQL元字符将被解释为查询的一部分。 You must escape the value of username before including it in the query, or (ideally) use a parameterized query to avoid this problem altogether. 在将其包含在查询中之前,您必须转义username的值,或者(理想情况下)使用参数化查询来完全避免此问题。
Worse, you are concatenating user input to a fixed-size buffer without making any length checks. 更糟糕的是,您将用户输入连接到固定大小的缓冲区而不进行任何长度检查。 This makes your application vulnerable to a buffer overflow. 这使您的应用程序容易受到缓冲区溢出的影响 An overly long username may allow an attacker to execute arbitrary code in the context of your application. 过长的用户名可能允许攻击者在您的应用程序上下文中执行任意代码。 Do not use non-length-checked library functions like strcat() in web applications. 不要在Web应用程序中使用非长度检查的库函数,如strcat() 。
if(exists) return 1;
else return 0;
Last, but not least: the return value of a CGI script is meaningless. 最后,但并非最不重要:CGI脚本的返回值毫无意义。 If you want to send a result to the web browser, you need to print it in a format that the browser is expecting. 如果要将结果发送到Web浏览器,则需要以浏览器期望的格式打印它。 (In this case, JSON.) (在这种情况下,JSON。)
解决方案2
-1 2016-10-16 02:25:56
I know now the mistake. 我现在知道错误。 It is so simple. 这很简单。 This line: 这一行:
function(exists){
if(exists) $("#username").after("<p>Username" + username + "is not available.</p>");
}
should be: 应该:
success: function(exists){
if(exists) $("#username").after("<p>Username" + username + "is not available.</p>");
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.