php - 使用 ajax 发送特殊字符并将它们正确接收到 php

Question

我有一个 javascript 函数，它获取一些参数数据并尝试将它们保存在 postgreSQL 数据库中。这是javascript ajax函数

function insertCalendarEvents(calendar_group, event_name, event_datestart, event_datestop, event_timestart, event_timestop, event_info, onfinish) {
    var request;
    if(window.XMLHttpRequest)
        request = new XMLHttpRequest();
    else
        request = new ActiveXObject("Microsoft.XMLHTTP");

    request.onreadystatechange = function() {
        if (request.readyState == 4 && request.status == 200) {alert(request.responseText);
            if(request.responseText.substr(0, 6) == "error ")
                alert(errorName[request.responseText.substr(6)]);
            else {
                var event_id = 7;
                onfinish(event_id);
            }
        }
    }

    var params = "action=insertCalendarEvents&calendar_group=" + calendar_group + "&event_name=" + encodeURIComponent(event_name) + "&event_datestart=" + event_datestart + "&event_datestop=" + event_datestop + "&event_timestart=" + event_timestart + "&event_timestop=" + event_timestop + "&event_info=" + event_info;
    request.open("GET", "php/calendar.php?" + params, true);
    request.setRequestHeader("If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT");
    request.setRequestHeader("Content-type", "application/x-www-form-urlencoded; charset=UTF-8");
    request.send();
}

这是php函数：

if($action == "insertCalendarEvents") {
$calendar_group = $_GET["calendar_group"];
    $event_name = "'" . htmlspecialchars(urldecode($_GET["event_name"])) . "'";
    $event_datestart = "'" . $_GET["event_datestart"] . "'";
    $event_datestop = "'" . $_GET["event_datestop"] . "'";
    $event_timestart = $_GET["event_timestart"] != "" ? "'" . $_GET["event_timestart"] . "'" : "null";
    $event_timestop = $_GET["event_timestop"] != "" ? "'" . $_GET["event_timestop"] . "'" : "null";
    $event_info = "'" . $_GET["event_info"] . "'";
    echo $event_name;

    require_once("connect.php");
$query = "INSERT INTO calendar_events (calendar_group, event_name, event_datestart, event_datestop, event_timestart, event_timestop, event_info) VALUES (" . $calendar_group . ", " . $event_name . ", " . $event_datestart . ", " . $event_datestop . ", " . $event_timestart . ", " . $event_timestop . ", " . $event_info . ")";
$result = pg_query($connect, $query);
if(!$result)
    die("error 1"); // query error

    $query = "SELECT currval('events_event_id_seq')";
    $result = pg_query($connect, $query);
    if(!$result)
    die("error 1"); // query error

    $row = pg_fetch_row($result);
    echo $row[0];
}

问题是当我尝试添加特殊字符（现在我仅在 event_name 参数上测试）时，例如 + 或换行符等，它不起作用，在 + 上它用空格替换它，换行符不做任何事情。

Answer 1

Encode Data Before You send to server

I also had problem like you have now but this function i implemented solved my problem

 function encode(val){
        var eVal;
        if(!encodeURIComponent){
            eVal=escape(val);
            eVal=eVal.replace(/@/g,"%40");
            eVal=eVal.replace(/\//g,"%2F");
            eVal=eVal.replace(/\+/g,"%2B");
            eVal=eVal.replace(/'/g,"%60");
            eVal=eVal.replace(/"/g,"%22");
            eVal=eVal.replace(/`/g,"%27");
            eVal=eVal.replace(/&/g,"%26");
        }else{
            eVal=encodeURIComponent(val);
            eVal=eVal.replace(/~/g,"%7E");
            eVal=eVal.replace(/!/g,"%21");
            eVal=eVal.replace(/\(/g,"%28");
            eVal=eVal.replace(/\)/g,"%29");
            eVal=eVal.replace(/'/g,"%27");
            eVal=eVal.replace(/"/g,"%22");
            eVal=eVal.replace(/`/g,"%27");
            eVal=eVal.replace(/&/g,"%26");
        }
        return eVal.replace(/\%20/g,"+");
    }

Answer 2

encodeURIComponent在将数据添加到查询字符串之前，您需要传递数据。

---

还要摆脱这些行：

request.setRequestHeader("If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT");

如果这并非总是如此，我会感到惊讶。

request.setRequestHeader("Content-type", "application/x-www-form-urlencoded; charset=UTF-8");

您没有发出 POST 请求。没有消息体来描述其内容类型。

Answer 3

使用 POST 它应该安全地传递您的数据，而且更合乎逻辑地用于从客户端更新内容

Answer 4

encodeURI()在通过 Ajax 发送参数之前，您应该使用参数