0

A jquery builder (from http://querybuilder.js.org/ ) is used to let the user pick a date and further select data for a DataTables (datatables.net/ ) via a PHP function.

The DataTables and especially Ajax function looks like this:

var table = $(id).DataTable({
        serverSide: true,
        searching: true,
        processing: true,,
        ajax: {
            url: "controllers/myAjax.php",
            type: "POST",
            data: result
        }
});

The object passed as data is defined by queryBuilder and appended to my query string in the PHP script. To nail things down I pass the data as plain SQL (http://querybuilder.js.org/plugins.html#import-export). In my problem test case this is:

WHERE birthdate < '1990-01-01'

This would result in the SELECT query:

SELECT * from table_1 WHERE birthdate < '1990-01-01'

This query throws a MySQL error:

"[...] check the manual that corresponds to your MySQL 
server version for the right syntax to use near '\'1990-01-01\' "

Obviously the date doesn't get escaped correctly. But when I enter exactly this query to my MySQL workbench, the server executes and returns a correct set of results. Even more, the workbench doesn't care if I use single quote (') or double quote (").

Further, I tried to manually remove those escape chars using PHP str_replace. The function then returns values, but obviously interpreted as int and breaking other queries (like equal ID). Same goes for msqli.real-escape-string (http://php.net/manual/de/mysqli.real-escape-string.php).

Another approach I tried was to change the dataType of the Ajax function a little bit - but basically I am sending form-encoded data, so the default type for this should be fine?

So why does (only) the date field get escaped in a wrong manner? Is there any rather quick fix for this, before I have to write my own PHP functions for accessing the DB?

Sarah Trees
  • 822
  • 12
  • 28
konrad_pe
  • 1,189
  • 11
  • 26
  • show how you build the actual query. A properly built one should NOT have those `\'` in there... most likely you've double-escaped or something, producing `... where birthdate < \'1990-01-01\'`, which is not valid. escaped quotes aren't quotes. they're just some character that LOOKS like a quote as far as the DB is concerned. – Marc B Aug 11 '16 at 20:15
  • I will edit how the PHP script builds the query asap, and yes I agree, it seems double-escaped somehow. Then again, why would it be broken if I try and remove the escapings with str_replace and query for ID = 3? There are no quotes involved at all. – konrad_pe Aug 12 '16 at 08:37
  • that's why you should show the php code that builds/executes the query. We can't read your mind, and can't see what's happening. Maybe you're on an obsolete php with `magic_quotes` enabled, and then do your own escaping. – Marc B Aug 12 '16 at 19:05
  • In the end I resolved this issue by calling the query as json/parametrized instead of url-encoded. So I didn't really solve it, but found a way around it. Still puzzling, why PHP and the mySQL workbench would interpret the same query differently. I will try and update the question as soon as I find the time to do so. Thank you for your suggestions anyway, @MarcB! – konrad_pe Aug 18 '16 at 15:04

0 Answers0