| slashes in AJAX |
[eluser]wcaicedo[/eluser]
Hi, i have this situation: i'm doing an ajax search with MooTools + CI. In a textbox, users enter some info and as they write, the results appear in a div. i'm using URI to send the search parameters to a CI controller, and if i put an slash on the search input, my js appends it to the URI and creates a new parameter, causing all sort of unexpected behavior in my app. I tried to make a POST request but it's not working. i don't know if this is a question meant to be here but i'm kinda desperated so if anyone can help me to figure out a way to correct this inside my controller code...THANKS A LOT!
[eluser]Randy Casburn[/eluser]
So something like this "method:'post'" doesn't work? Sorta like this: Code: new ajax(\'path/to/script.php\',{postBody:\'slashhashy=\/\/\/\/\/\/\/\/\/\', onComplete: showResponse, update: \'container\'}).request();Post is the way to go if you can get it to work. The reason I say this is because this type of problem is like a roach. You'll just kill this one...then another one will creep out of the woodwork! IMHO, Randy
[eluser]metaltapimenye[/eluser]
chill wcaicedo.. dont panic. we might hv the answer. try to put some char limitation in your ajax requester/$this->input->post/get('search_term'). kind of strtr('/','-slash-',$string); . identify your problem more precisely, is it url requested by mootools(ajax) or url that post by browser. if ajax is the problem, this might help u.
[eluser]wcaicedo[/eluser]
Hi folks, sorry for taking so long to reply, there's a ton of work this days. Thanks so much for your replies, i appreciate you have taken the time to do it. Yes, it's a problem with my ajax, my code is something like this (mootools 1.2): Code: //we're inside an input's onkeyup event handlerI've came up with this temporary (and ugly) workaround: As you can see, i append to the url a third (dummy) parameter, which does nothing but let me check if my URI is tampered: If the third parameter of the URI is not it, i don't process the query. Any ideas about getting rid of that 'elusive' slash? or maybe posting a correct approach to the post thing? thank you VERY MUCH!!
[eluser]Randy Casburn[/eluser]
Hi there, Change this: Code: url = "<?php echo site_url('utilities/ajax_search');?>"+"/"+this.value+"/"+$('select')to... Code: url = "<?php echo site_url('utilities/ajax_search');?>"+"/"+this.value.replace(/\//,'CHAROFYOURCHOICE')+"/"+$('select')CHAROFYOURCHOICE will replace the forward slash. You DO realize this is only going to fix ONE little teeeny tiny issue right? You need to write a JS method that is going to santize that input for more than just a slash. Don't you think an apostrophe might be next? Or an accentue etc? Have fun  Randy
[eluser]wcaicedo[/eluser]
Thanks for your post, that's a solution i've considered. What i don't like about a js method is that (please correct me if i'm wrong)it is at anybody's reach...what happens if someone modifies it and pass an slash? he or she can get away with an entire table... Regarding your suggestion about sanitizing entirely that URI, i'm counting on active Record and xss_clean for that matter, that's why i only care (for now) about the slash...Thanks a lot
[eluser]Randy Casburn[/eluser]
Anything you do to correct it in the client (JS) will be accessible to the user. Anything. Firebug is as much an enemy as a friend ;-). Since this is an <input> submitted via Ajax, I think it is a take or leave proposition. You should be validating every ajax request server side anyway to validate the source of the request. While it cannot be full proof, you should at least attempt to validate that the request came from your source page. There are plenty of ways to do this. Google ajax security. Randy |
| Welcome Guest, Not a member yet? Register Sign In |
