Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    New Coder
    Join Date
    Dec 2005
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts

    HTML ==> Javascript ==> ajax ==> php ==> email

    Hi Y'awl,

    I've got a little problem that has/is defeating me. The flow is in the title. Basically the user is presented with a quiz in the browswer and he/she answers dynamically generated questions which are marked on the fly by the javascript. Any wrongly answered questions are bundled into an array along with the correct answer and displayed on-screen at the end of the test. At the same time the data is sent to a php mailer via ajax and the results sent to the email that was entered by the user.

    I have many such quizzes and they all work fine EXCEPT when the question strings contain a degree sign, or the HTML entity coding for a degree sign, °

    In this case the php breaks at the degree sign and nothing else is sent to the end user.

    The relevant javascript:

    Code:
    var dimdeg='°C';  // this has also been tried with "ºC" and "°"
    
    var wstore=new Array();
    A typical dynamically constructed question looks like this:
    Code:
    <p>1. The heat capacity of a bomb calorimeter is 1.16 kJ K<sup>-1</sup>. Calculate the energy needed (kiloJoules) to increase the temperature of the calorimeter by 45&#176;C.  (to 3 significant figures)</p>
    Which displays fine in HTML

    These questions are bundled into an array using:

    Code:
    		wstore.push(question);
    The array is then displayed on screen at the end of the test.
    It is also sent to php via AJAX.

    Code:
    function postIt() {   
    var http = new XMLHttpRequest();
    var url = "../mail/testSum.php";
    var params = "realname="+myName+"&rightAnswers="+correct+"&percentageScore="+percentage+"&asked="+numq+"&mins="+minutes+"&secs="+seconds+"&deliver="+destination+"&testName="+test+"&wrongArray="+wstore;
    http.open("GET", url+"?"+params, true);
    http.onreadystatechange = function() {             
    	if(http.readyState == 4 && http.status == 200) {
    		//alert();
    	}
    }
    http.send(null);
    }
    It is received in php along with other data and the array exploded:

    PHP Code:

    $data1
    =$_GET["realname"];
    $data2=$_GET["rightAnswers"];
    $data3=$_GET["asked"];
    $data4=$_GET["mins"];
    $data5=$_GET["secs"];
    $data6=$_GET["percentageScore"];
    $data7=$_GET["deliver"];
    $data8=$_GET["testName"];
    $myWrongArray explode(','$_GET["wrongArray"]);  //[COLOR="#0000FF"] this is the wrong questions array[/COLOR] 
    and then the exploded array is organised for emailing:

    PHP Code:
    $message $data1.", you have attempted ".$data3" questions";
    foreach(
    $myWrongArray as $my_Array){
        
    $message .= "\r\n".$my_Array;  
    }
    $message strip_tags($message); 
    BUT the chain breaks down at the &, and the only output received in the email is:

    1. The heat capacity of a bomb calorimeter is 1.16 kJ K-1. Calculate the energy needed (kiloJoules) to increase the temperature of the calorimeter by 45

    Does anyone have any suggestions. I have tried various encodeURL() and encodeURLcomponent() combinations, but they either remove the degree sign altogether or produce gobbledegook.

    I've been on this for 2 days and it's driving me crazy!

    Cheers,

    Charco

  2. #2
    Senior Coder xelawho's Avatar
    Join Date
    Nov 2010
    Location
    Here
    Posts
    3,934
    Thanks
    58
    Thanked 699 Times in 694 Posts
    encodeURLcomponent() is the correct approach here, but are you decoding the string before sending it to your mailer? If not, no wonder it is producing gobbledegook.

    urldecode() can decode in php, but if you are using that you would be better to use JavaScript's encodeURI() for better data parity.

    I believe that if you use $_REQUEST variables they are decoded automatically, but I have never tried this.

  3. #3
    Senior Coder deathshadow's Avatar
    Join Date
    Feb 2016
    Location
    Keene, NH
    Posts
    3,350
    Thanks
    4
    Thanked 483 Times in 471 Posts
    I would suggest sending as POST instead of get. You are allowed more storage space, and you aren't stuffing their answer into the URI where a bot could more easily BS it or leverage XSS exploits.

    ... and really if you're encodeURLcomponent that way if it SHOULD be correct server-side without having to decode it, as that should happen automatically when PHP starts up... be it $_POST, $_GET, or $_REQUEST

    Though you really shouldn't use that last one, something else that REALLY should be stricken from PHP.

    That said, your logic worries me -- almost sounds like you have the ANSWERS client-side and have no scripting off graceful degradation. The former makes it easy to cheat, the latter tells large swaths of potential users to sod off.
    “There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies and the other way is to make it so complicated that there are no obvious deficiencies.” – C.A.R. Hoare, The 1980 ACM Turing Award Lecture
    http://www.cutcodedown.com

  4. #4
    New Coder
    Join Date
    Dec 2005
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by deathshadow View Post
    I would suggest sending as POST instead of get. You are allowed more storage space, and you aren't stuffing their answer into the URI where a bot could more easily BS it or leverage XSS exploits.
    would I just literally substitute POST for GET? (php rookie)


    ... and really if you're encodeURLcomponent that way if it SHOULD be correct server-side without having to decode it, as that should happen automatically when PHP starts up... be it $_POST, $_GET, or $_REQUEST
    The problem is after URLencoding I can't output the content to the screen, which is the first stage. I need the HTML to display on the screen and the encoded version to pass to php. My only thought is that I could duplicate everything, but that seems such an inelegant solution.


    Though you really shouldn't use that last one, something else that REALLY should be stricken from PHP.

    That said, your logic worries me -- almost sounds like you have the ANSWERS client-side and have no scripting off graceful degradation. The former makes it easy to cheat, the latter tells large swaths of potential users to sod off.
    The questions and answers are generated on the fly by the Javascript. At no point are they actually written down until the test is over. I suppose that it would technically be possible for someone to copy the javascript and use the answers algorithm to generate them in a third party PC ... but would it be worth the bother?

  5. #5
    Senior Coder deathshadow's Avatar
    Join Date
    Feb 2016
    Location
    Keene, NH
    Posts
    3,350
    Thanks
    4
    Thanked 483 Times in 471 Posts
    Quote Originally Posted by charco View Post
    The problem is after URLencoding I can't output the content to the screen, which is the first stage.
    When you say output to the screen, do you mean in JavaScript, or from PHP as echo? If the former you should still have the original value so that's a non-issue. If the latter that's got nothing to do with what the JavaScript is doing, what you want to do (and should do with any user-generated values) is apply htmlspecialchars to the output.

    PHP: htmlspecialchars - Manual

    I think that may be the part you're missing.

    Quote Originally Posted by charco View Post
    The questions and answers are generated on the fly by the Javascript. At no point are they actually written down until the test is over. I suppose that it would technically be possible for someone to copy the javascript and use the answers algorithm to generate them in a third party PC ... but would it be worth the bother?
    How exactly does one generate a QUESTION on the fly?

    Though either way you don't even need another PC to do it, there's this stuff called "user javascript" that exists by default in some browsers, and can be added with extensions like "tampermonkey" which let users run their own scripts ATOP any existing ones on a website.

    Likewise that type of processing REALLY has no business client-side "in the browser" in the first place. ESPECIALLY if you care about accessibility where client-side scripting may not even exist...

    Good JavaScript should enhance an already working page, not be your only means of providing functionality. Generating ANSWERS client side? Yikes. Just BEGGING to be pwned by every two bit script-kiddie.
    “There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies and the other way is to make it so complicated that there are no obvious deficiencies.” – C.A.R. Hoare, The 1980 ACM Turing Award Lecture
    http://www.cutcodedown.com

  6. #6
    New Coder
    Join Date
    Dec 2005
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by deathshadow View Post
    When you say output to the screen, do you mean in JavaScript, or from PHP as echo? If the former you should still have the original value so that's a non-issue. If the latter that's got nothing to do with what the JavaScript is doing, what you want to do (and should do with any user-generated values) is apply htmlspecialchars to the output.

    PHP: htmlspecialchars - Manual

    I think that may be the part you're missing.


    How exactly does one generate a QUESTION on the fly?

    Though either way you don't even need another PC to do it, there's this stuff called "user javascript" that exists by default in some browsers, and can be added with extensions like "tampermonkey" which let users run their own scripts ATOP any existing ones on a website.

    Likewise that type of processing REALLY has no business client-side "in the browser" in the first place. ESPECIALLY if you care about accessibility where client-side scripting may not even exist...

    Good JavaScript should enhance an already working page, not be your only means of providing functionality. Generating ANSWERS client side? Yikes. Just BEGGING to be pwned by every two bit script-kiddie.
    Thanks for the link - I'll try to make sense of it, but I'm not a very accomplished programmer - it's a kind of hobby ...

    The questions are generated by the javascript selecting from arrays using random variables that are inserted into generic question frameworks. The program then uses the same selected data to generate the appropriate answer. The target audience are not going to be "script kiddies", but students and teachers of pre-university chemistry. The script that is causing me trouble selects (for example) a substance at random and then it's mass and initial temperature are generated randomly (within certain parameters). A randomly generated quantity of energy is then inserted into the question and the student/client has to input the final temperature of the substance. If they get the question wrong it is output both as an on-screen display (after all questions have been answered) and also sent with answer to the users email.

    If you are interested in seeing how the flow works see: 401 Authorization Required [login: guest, p/w: guest]

    Even if people were able to generate the answers using another script it would be pretty pointless.

  7. #7
    New Coder
    Join Date
    Dec 2005
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Ok, I've kind of solved my problem. BUT I'm not happy with the solution.

    In order for me to display the degree sign on the screen I have had to remove the meta tag char-set = UTF-8, which is flagged as a problem in Firefox debugger, but which seems to work.

    My question is:

    Why does the degree sign, º, NOT work when the meta tag is included in the HTML:

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

    According to the literature UTF-8 is the standard character set for HTML5 AND it includes the degree sign.
    When I enter the degree sign in the HTML source using the keyboard (spanish setting) º, it displays OK, UNLESS I have the meta tag. Without the meta tag it displays correctly.


 

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •