I have already read a lot of responses about this issue, and I didn't found the 100% correct.
The code I expect to create in php looks like this:
<a href="#" onclick="a_js_function('moduleSee.php','sql_restriction','popup')">See</a>
a_js_function()
is an internal javascript function, it receives some arguments and will be called simply like this
$str = '<a href="#" onclick="';
$str .= " a_js_function('moduleSee.php','sql_restriction','popup')";
$str .='">See</a>';
But the sql_restriction argument contains a quote :
concat('000000',table_id)
And the NOT 100%-working solution is putting \\'
instead of '
=> this allows to SQL query doing properly but creates a javascript error that blocks part of the page.
$str = '<a href="#" onclick="';
$str .= " a_js_function('moduleSee.php','concat(\'000000\',table.id)','popup')";
$str .='">See</a>';
See what chrome says:
Uncaught SyntaxError: Unexpected number -> point the numbers of received argument: concat('000000',table.id)
because with the \\'
receive '
between the 000, the argument of the js function make error, not SQL. Avoiding this quotes in the number make that SQL query doesn't work
putting '
or \\"
or \\\\'
or ''
doesn't work too, addslashes()
neither
Any ideas?
The problem isn't how you are escaping your quotes - backslashes are correct. What's happening though is that you aren't escaping enough, as each time the code passes through a language, the escaping is done and the next language won't see it anymore. The code
$str = '<a href="#" onclick="';
$str .= " a_js_function('moduleSee.php','concat(\'000000\',table.id)','popup')";
$str .='">See</a>';
is output from php as
<a href="#" onclick="
a_js_function('moduleSee.php','concat('000000',table.id)','popup')
">See</a>
Javascript sees the single quotes in the concat and tries to end the string, and then gets confused by the 0s, which aren't a javascript keyword. You need the javascript to see the following
<a href="#" onclick="
a_js_function('moduleSee.php','concat(\'000000\',table.id)','popup')
">See</a>
which is accomplished by escaping both the \\
and '
characters in php, meaning your php needs to look like
$str = '<a href="#" onclick="';
$str .= " a_js_function('moduleSee.php','concat(\\\'000000\\\',table.id)','popup')";
$str .='">See</a>';
I agree that you should be doing some processing of the input on your SQL server. You could correct the input at that stage.
You could also tries using escaped double-quotes instead in your PHP. Eg:
$str = '<a href="#" onclick="';
$str .= " a_js_function('moduleSee.php','concat(\"000000\",table.id)','popup')";
$str .='">See</a>';
Javascript can concatenate without using a concat function, so this should work:
a_js_function('moduleSee.php', '000000' + table.id, 'popup');
I'm not sure if your code is doing anything special to prevent the above code from working, but that works for me. I have table.id
set to 25
, so the result comes out as: 00000025
Thanks all for the answers, finally my boss solved changing the core of the CMS, filtering after use \\'00000\\' , use replace()
to change \\'
to "
$_POST['fix'] = str_replace('\'','"', $_POST['fix']));
Query works good and no js errors
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.