有人能向我解释一下如何在C CGI中使用JQueryAjax吗?
以及如何初始化标题?
这是我的js代码片段:
$.ajax({
type: "post",
url: "check_username.cgi",
data: username,
function(exists){
if(exists) $("#username").after("<p>Username" + username + "is not available.</p>");
}
});
下面是我的c代码中成功编译的代码片段:
printf("Content-type:text/html; charset=UTF-8
"); \\I am having problem with this line.
int size, exists;
int length = (int) atoi(getenv("CONTENT_LENGTH"));
char username[length], query[128] = "select username from users where username = ";
fgets(username, length, stdin);
MYSQL *conn = mysql_init(NULL);
mysql_real_connect(conn, server, user, password, database, 0, NULL, 0);
strcat(query, username);
strcat(query, ";");
exists = (int) mysql_num_rows((MYSQL_RES *)mysql_query(conn, query));
mysql_close(conn);
if(exists) return 1;
else return 0;
在浏览器中测试之后,我的控制台中返回了这个:https://i.stack.imgur.com/N6N7V.png
如果你只是想告诉我使用python还是Perl,请不要回答......
I know now the mistake. It is so simple. This line:
function(exists){
if(exists) $("#username").after("<p>Username" + username + "is not available.</p>");
}
should be:
success: function(exists){
if(exists) $("#username").after("<p>Username" + username + "is not available.</p>");
}
C is an extremely awkward language for web programming.
As you've requested, I will not tell you to use another language, but I will tell you that C is an extremely poor choice -- especially if you try to use only the standard library -- and you should reconsider this choice. It is extremely easy to introduce security vulnerabilities in a C application, and in fact you have several rather serious ones in the short code sample you've provided which could have been easily avoided in another language.
printf("Content-type:text/html; charset=UTF-8
");
A Content-Type of text/html is not appropriate for JSON output. Use application/json. (This is not a security issue, but it's worth noting.)
Printing headers all at once here also makes it impossible for you to return a HTTP error from your script later. It's typically best to defer headers until your response is ready.
int length = (int) atoi(getenv("CONTENT_LENGTH"));
char username[length];
You are assuming that the query will have a CONTENT_LENGTH header. It may not. Never make assumptions about the presence or validity of HTTP headers.
You are also assuming that the value of the CONTENT_LENGTH header will be a reasonable length to allocate on the stack. It may not be.
Avoid allocating variable-length data on the stack. While it's a handy extension, it can go very wrong very easily.
fgets(username, length, stdin);
You are assuming that the script will always receive POST data on standard input. This is not the case. A GET or HEAD request to your script will have no content. (Remember what I said about assumptions earlier?)
You are also assuming that the input to the script will be the value of username. It is not. It will probably be in either application/x-www-form-urlencoded format (foo=abc&bar=def) or multipart/form-data format (more complicated, multiple lines). You don't necessarily need to handle both here, but you need to at least check that the input is in the format you're expecting, parse it appropriately if it is, and return an error if it isn't.
char query[128] = "select username from users where username = ";
…
strcat(query, username);
strcat(query, ";");
You are not quoting username. This makes the query fail, because most usernames will not be valid as literals in the SQL query here.
Not only that, but you are also concatenating user input to a SQL query without performing any form of escaping. This makes your application vulnerable to SQL injection. SQL metacharacters in username will be interpreted as part of the query. You must escape the value of username before including it in the query, or (ideally) use a parameterized query to avoid this problem altogether.
Worse, you are concatenating user input to a fixed-size buffer without making any length checks. This makes your application vulnerable to a buffer overflow. An overly long username may allow an attacker to execute arbitrary code in the context of your application. Do not use non-length-checked library functions like strcat() in web applications.
if(exists) return 1;
else return 0;
Last, but not least: the return value of a CGI script is meaningless. If you want to send a result to the web browser, you need to print it in a format that the browser is expecting. (In this case, JSON.)