(JavaScript for the XML HTTP request and PHP for the execution SQL query.)
I’m building a web app that executes queries. It uses the XMLHTTP request GET method and passes a query to a PHP script that executes it. It works fine until I introduce parentheses ( ) in it.
Here is an example of how works:
function executeQry(){
qry = document.getElementByID('textarea').value;
qryHTTPRequest(encodeURI(qry));
//I've also tried encodeURIComponent(qry);
}
function xmlHTTPRequest(qry){
//fetches
urlFetch = "http://my.url.com/script.php?qry=" + qry;
}
this is a quick reference, I know that my xmlhttp request works fine because it does what it needs to do when other queries are passed through for example:
SELECT * FROM `tableName`
works fine, but when you try to do something like
CREATE TABLE `new_table`
AS (SELECT * FROM `old_table`)
Then this is when it won’t execute, I get the 403 error so I figured that it’s an with the () because I even tried this same code on the PHP itself, without having to pass it through and it worked, so there must be an issue with the URL encoding process right? If this is the issue, is there a method for encoding these characters? I assume there are other characters that don’t get encoded with encodeURI() method as well as the encodeURIComponent(). Thanks in advance!
The below should do it:
Parentheses are oddballs in the URI grammar. Many encoders treat them as special even though they only appear in the obsolete “mark” production. With common web protocols (
http,https,mailto) it is safe to encode them to%28and%29though web servers are allowed to assign special meanings to them. You are already usingencodeURIorencodeURIComponentso you are already assuming that URL escape sequences are UTF-8.From RFC 3986: