I'm trying to overwrite a file using php function file_put_contents() along with ajax, how ever while writing to the file the plus sign (+) is replace with a space. Here is the code snippet
我尝试使用php函数file_put_contents()来覆盖一个文件,同时使用ajax,在写入文件时,加号(+)被替换为一个空格。下面是代码片段
<html>
<head></head>
<body>
<div>inline editor will change this text</div>
<button type="button" onclick="loadDoc()">save changes</button>
<script>
function loadDoc() {
var html = document.getElementsByTagName('html')[0];
var xhttp = new XMLHttpRequest();
xhttp.open("POST", "overwrite.php", true);
xhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xhttp.send("html="+html.outerHTML);
<!--the + here is replace with a space-->
}
</script>
</body>
</html>
Basically what i'm trying to do here is to allow the user to use inline editors to change the text and then get the updated DOM and write it back to the file, overwriting the previous content.
基本上我在这里要做的是允许用户使用内联编辑器来更改文本,然后获取更新后的DOM并将其写回文件,覆盖以前的内容。
Here is overwrite.php
这是overwrite.php
<?php
$var = $_POST['html'];
file_put_contents("index.php", $var );
?>
There are two things going wrong with this actually
实际上有两件事出错了
1). the + symbol is being replace with a space (solved thanks to simultaneous answers by @deceze @Justinas)
1). +符号被替换为空格(由于@欺诈者@Justinas同时给出答案)
2). there are style tags being added inside the head tag (still unsolved and mighty annoying)
2).在head标签中添加了一些样式标签(仍然没有解决,非常烦人)
it would be great to find out what is actually happening here, and maybe i could alter the code to fix it.
如果能知道这里到底发生了什么,那就太好了,也许我可以修改代码来修复它。
I'm well aware of the security risks of allowing users to modify content and then writing it directly to a file, i'm just experimenting here.
我很清楚允许用户修改内容并将其直接写入文件的安全风险,我只是在这里进行试验。
thanks
谢谢
2 个解决方案
#1
1
-
You are sending plain text via
GET. In URL+means space so when PHP reads URL string it automatically url-decodes it and your+is replaced with space. Usexhttp.send('html='+encodeURIComponent(html.outerHTML)).您正在通过GET发送纯文本。在URL +中表示空间,所以当PHP读取URL字符串时,它会自动地URL解码它,而您的+将被空格替换。使用xhttp.send(' html = ' + encodeURIComponent(html.outerHTML))。
-
Are you using any framework or any other automated system to auto-append styles?
您是否使用任何框架或任何其他自动系统来自动添加样式?
#2
2
+ in the x-www-form-urlencoded format means space! You need to correctly url-encode your content before sending it to the server:
+在x-www-form- urlencodes格式意味着空间!在将内容发送到服务器之前,您需要正确地对其进行url编码:
xhttp.send("html=" + encodeURIComponent(html.outerHTML));
#1
1
-
You are sending plain text via
GET. In URL+means space so when PHP reads URL string it automatically url-decodes it and your+is replaced with space. Usexhttp.send('html='+encodeURIComponent(html.outerHTML)).您正在通过GET发送纯文本。在URL +中表示空间,所以当PHP读取URL字符串时,它会自动地URL解码它,而您的+将被空格替换。使用xhttp.send(' html = ' + encodeURIComponent(html.outerHTML))。
-
Are you using any framework or any other automated system to auto-append styles?
您是否使用任何框架或任何其他自动系统来自动添加样式?
#2
2
+ in the x-www-form-urlencoded format means space! You need to correctly url-encode your content before sending it to the server:
+在x-www-form- urlencodes格式意味着空间!在将内容发送到服务器之前,您需要正确地对其进行url编码:
xhttp.send("html=" + encodeURIComponent(html.outerHTML));