我有一个javascript函数,可以获取参数的一些数据并尝试将它们保存在postgreSQL数据库中。这是javascript ajax函数
function insertCalendarEvents(calendar_group, event_name, event_datestart, event_datestop, event_timestart, event_timestop, event_info, onfinish) {
var request;
if(window.XMLHttpRequest)
request = new XMLHttpRequest();
else
request = new ActiveXObject("Microsoft.XMLHTTP");
request.onreadystatechange = function() {
if (request.readyState == 4 && request.status == 200) {alert(request.responseText);
if(request.responseText.substr(0, 6) == "error ")
alert(errorName[request.responseText.substr(6)]);
else {
var event_id = 7;
onfinish(event_id);
}
}
}
var params = "action=insertCalendarEvents&calendar_group=" + calendar_group + "&event_name=" + encodeURIComponent(event_name) + "&event_datestart=" + event_datestart + "&event_datestop=" + event_datestop + "&event_timestart=" + event_timestart + "&event_timestop=" + event_timestop + "&event_info=" + event_info;
request.open("GET", "php/calendar.php?" + params, true);
request.setRequestHeader("If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT");
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded; charset=UTF-8");
request.send();
}
这是php函数:
if($action == "insertCalendarEvents") {
$calendar_group = $_GET["calendar_group"];
$event_name = "'" . htmlspecialchars(urldecode($_GET["event_name"])) . "'";
$event_datestart = "'" . $_GET["event_datestart"] . "'";
$event_datestop = "'" . $_GET["event_datestop"] . "'";
$event_timestart = $_GET["event_timestart"] != "" ? "'" . $_GET["event_timestart"] . "'" : "null";
$event_timestop = $_GET["event_timestop"] != "" ? "'" . $_GET["event_timestop"] . "'" : "null";
$event_info = "'" . $_GET["event_info"] . "'";
echo $event_name;
require_once("connect.php");
$query = "INSERT INTO calendar_events (calendar_group, event_name, event_datestart, event_datestop, event_timestart, event_timestop, event_info) VALUES (" . $calendar_group . ", " . $event_name . ", " . $event_datestart . ", " . $event_datestop . ", " . $event_timestart . ", " . $event_timestop . ", " . $event_info . ")";
$result = pg_query($connect, $query);
if(!$result)
die("error 1"); // query error
$query = "SELECT currval('events_event_id_seq')";
$result = pg_query($connect, $query);
if(!$result)
die("error 1"); // query error
$row = pg_fetch_row($result);
echo $row[0];
}
问题是当我尝试添加特殊字符(现在我只在event_name参数上测试),比如+或换行符等等,它不起作用,在+它用空格替换它,换行不做任何事情。
答案 0 :(得分:3)
在发送到服务器之前对数据进行编码
我也有像现在这样的问题,但我实现的这个功能解决了我的问题
function encode(val){
var eVal;
if(!encodeURIComponent){
eVal=escape(val);
eVal=eVal.replace(/@/g,"%40");
eVal=eVal.replace(/\//g,"%2F");
eVal=eVal.replace(/\+/g,"%2B");
eVal=eVal.replace(/'/g,"%60");
eVal=eVal.replace(/"/g,"%22");
eVal=eVal.replace(/`/g,"%27");
eVal=eVal.replace(/&/g,"%26");
}else{
eVal=encodeURIComponent(val);
eVal=eVal.replace(/~/g,"%7E");
eVal=eVal.replace(/!/g,"%21");
eVal=eVal.replace(/\(/g,"%28");
eVal=eVal.replace(/\)/g,"%29");
eVal=eVal.replace(/'/g,"%27");
eVal=eVal.replace(/"/g,"%22");
eVal=eVal.replace(/`/g,"%27");
eVal=eVal.replace(/&/g,"%26");
}
return eVal.replace(/\%20/g,"+");
}
答案 1 :(得分:1)
在将数据添加到查询字符串之前,您需要通过encodeURIComponent传递数据。
还要摆脱这些界限:
request.setRequestHeader("If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT");
如果情况并非如此,我会感到惊讶。
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded; charset=UTF-8");
您没有发出POST请求。没有消息体来描述内容类型。
答案 2 :(得分:0)
在通过Ajax发送参数之前,您应该对参数使用encodeURI()
答案 3 :(得分:0)
使用POST它应该安全地提供您的数据,并且更合理地用于从客户端更新内容