php replacing ascii code

Question

I'm stuck with a php issue. I've got to send a sql query with a POST form with an ajax request. This query is like :

SELECT * FROM table WHERE field LIKE '%512%'

The problem is when i take back this query from POST var in php, it shows :

SELECT * FROM table WHERE field LIKE 'Q2%'

and it obviously fail...

I tried changing to utf-8 it didn't change anything.

Javascript seems to send the correct text, but php change it when reading POST.

Is ther a way I can prevent php from reading %51 as ascii code ?

Just in case, the website is written with Code Igniter.

Thanks

Answer 1

POST Data : URL encoding replaces unsafe ASCII characters with a "%" followed by two hexadecimal digits.
First : encode data using javascript function.

var res = encodeURI("SELECT * FROM table WHERE field LIKE '%512%'");

then send the data using ajax.

In PHP, Decode data using function :

$data=urldecode(string $_POST['yourdata']);

For further information you can go through these links:

• https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURI
• http://php.net/manual/en/function.urldecode.php
• http://ascii.cl/htmlcodes.htm

Answer 2

Though you can use %25512%, but I agree with deceze.

Using %25 will be interpreted to % sign

so use %25Your number

Answer 3

1. Don't send entire SQL queries from a Javascript client to a server. Just don't. That's worse than an SQL injection vulnerability, it's simply carte blanche for query execution by anyone for anything.
2. Data in HTTP requests is typically encoded using percent encoding, and guess what: %51 happens to stand for "Q" in this encoding. You need to properly encode your data when sending it in an HTTP request, for example using encodeURIComponent(). If you want to send "%51", you need to actually be sending %2551. The specifics will depend on how you're sending that data exactly.

Also consider reading The Great Escapism (Or: What You Need To Know To Work With Text Within Text).