douqianmin5367 2013-02-01 12:53
浏览 40

通过ajax发送php代码无法正常工作

I'm trying to make an ajax request with jquery, but I'm getting 403 Forbidden error each time I'm sending php functions. An example of what I need is this stackoverflow comment input which accepts source code also.

What I've done:

PHP

class Error {
  public function __construct() {
    // etc
  }

  public function comment($error_id, $content) {

    if(!$this->user->loged)
      return false;

    $error_id = $this->mysqli->real_escape_string($error_id);
    if(!is_numeric($error_id))
      return false;

    $this->mysqli->query("INSERT INTO comments 
                          VALUES (NULL, '" . $error_id . "', '" . $this->user->user_id . "', '" . $content . "', NULL)");
    return $this->mysqli->insert_id;

  }
}

where $content is escaped using escapeString function inside Common class:

public function escapeString($text) {
  return htmlspecialchars($this->mysqli->real_escape_string($text));
}

my JS is:

$('div.left-content').on('click','form.comment input[type=button]',function(){

        $but = $(this);

        if(!erori.user.loged) {

            showTooltip($but, 'Trebuie să fii autentificat pentru a putea comenta!');

            return false;
        }

        if($but.prev('textarea').val() == $but.prev('textarea').data("text") || $but.prev('textarea').val().trim() == '') {

            showTooltip($but, 'Completează câmpul de text pentru a putea trimite comentariul!');

            return false;
        }

        if($but.prev('textarea').hasClass('disabled'))
            return false;

        $but.attr('disabled', 'disabled');
        $but.prev('textarea').addClass('disabled');

        $.post(
            $but.parent().attr('action'),
            $but.parent().serialize(),
            function(data){
                if(data.content) {
                    $('<div class="comment"></div>').html(data.content).insertBefore($but.parent().parent());
                    if($but.prev('textarea').hasClass('disabled'))
                        $but.prev('textarea').val('').trigger('blur').animate({height: '20px'}, 300);
                    $but.prev('textarea').removeClass('disabled');
                }

                $but.removeAttr('disabled');

            },
            'json')
        .fail(function(xhr, textStatus, errorThrown) {
            if(errorThrown == 'Forbidden') {
                showTooltip($but, 'Comentariul nu a putut fi trimis!<br />Dacă vrei să trimiți sursă de cod folosește <strong>` cod sursă `</strong>!');

                $but.prev('textarea').removeClass('disabled');
                $but.removeAttr('disabled');

                return false;
            }
        })                                                         
    });

and the action code is:

$error = new Error($mysqli, $user);

$content = $common->escapeString($_POST['error_comment']);

$comment_id = $error->comment($_POST['error_id'], $content);

How to escape the source code before sending it to server, for not getting back this 403 Forbidden error?

What I'm trying to say is that if I'm trying to comment for example: This is my comment with <?php $sql = mysql_query(); ?> the server is throwing 403 error code!

  • 写回答

1条回答 默认 最新

  • douzhang5121 2013-02-01 12:57
    关注

    You cannot really filter your code before sending, because user can just turn off javascript and send code to you directly, skipping any clientside filtering.

    And 403 error - it's a "rights" error, so you need to fix headers or right for php-file.

    评论

报告相同问题?

悬赏问题

  • ¥15 孟德尔随机化结果不一致
  • ¥15 apm2.8飞控罗盘bad health,加速度计校准失败
  • ¥15 求解O-S方程的特征值问题给出边界层布拉休斯平行流的中性曲线
  • ¥15 谁有desed数据集呀
  • ¥20 手写数字识别运行c仿真时,程序报错错误代码sim211-100
  • ¥15 关于#hadoop#的问题
  • ¥15 (标签-Python|关键词-socket)
  • ¥15 keil里为什么main.c定义的函数在it.c调用不了
  • ¥50 切换TabTip键盘的输入法
  • ¥15 可否在不同线程中调用封装数据库操作的类