Apostrophe messing with ajax results

[jcg31]

I am using some code that I have seen on a number of forums to search a database using ajax and return a result from the `ProspectName` field  (written by Amit Sarwara and apparently working fine for others)

 

.

All works fine until the name of the prospect contains an apostrophe.  Advice from another forum suggested using addslashes with the result

$theresult=addslashes($result->ProspectName);
echo <<<html
<li onClick="fill('{$result->ProspectName}','{$result->id}','{$result->assignedrep}','1');">{$theresult}</li>
html;

and while that added the slash it didn't resolve the issue.

 

the attachment to this post provides firebug's feedback.

 

Any help would be apprecitated.

Thanks,

Jim

 

 

 

Here is the code:

<?php
 
 // PHP5 Implementation - uses MySQLi.
 // Written by Amit Sarwara
 // mysqli('localhost', 'yourUsername', 'yourPassword', 'yourDatabase');
  
     $db = new mysqli('127.0.0.1', 'root' ,'', 'progadad');
 
 if(!$db) {
  // Show error if we cannot connect.
  echo 'ERROR: Could not connect to the database.';
 } else {
  // Is there a posted query string?
  if(isset($_POST['queryString'])) {
   $queryString = $db->real_escape_string($_POST['queryString']);
   
   // Is the string length greater than 0?
   if(strlen($queryString) >0) {
    
    // Run the query: We use LIKE '$queryString%'
    // The percentage sign is a wild-card, in my example of countries it works like this...
    // $queryString = 'Uni';
    // Returned data = 'United States, United Kindom';
    
    // YOU NEED TO ALTER THthE QUERY TO MATCH YOUR DATABASE.
    // eg: SELECT yourColumnName FROM yourTable WHERE yourColumnName LIKE '$queryString%' LIMIT 10
    
    $query = $db->query("SELECT id, ProspectName, prospectorFullName, assignedrep  FROM captureddata WHERE ProspectName LIKE '$queryString%' LIMIT 8");
    if($query) {
     // While there are results loop through them - fetching an Object (i like PHP5 btw!).
     while ($result = $query ->fetch_object()) {
      // Format the results, im using <li> for the list, you can change it.
      // The onClick function fills the textbox with the result.
      
      // YOU MUST CHANGE: $result->value to $result->your_colum
           
     
     echo <<<html
     <li onClick="fill('{$result->ProspectName}','{$result->id}','{$result->assignedrep}','1');">{$result->ProspectName}</li>
html;
            }
    } else {
     echo 'ERROR: There was a problem with the query.';
    }
   } else {
    // Dont do anything.
   } // There is a queryString.
  } else {
   echo 'There should be no direct access to this script!';
  }
 }
 
?>

Edited May 4, 2013 by jcg31

[mac_gyver]

you need to use htmlentities() on any "content" that you output that may contain characters that have meaning in the html/javascript context they are being output in.

[jcg31]

you need to use htmlentities() on any "content" that you output that may contain characters that have meaning in the html/javascript context they are being output in.

 

I gave htmlentites a shot in the following manner.  Same result, what am I doing wrong?

$theresult= htmlentities($result->ProspectName,ENT_QUOTES);
echo <<<html
<li onClick="fill('{$result->ProspectName}','{$result->id}','{$result->assignedrep}','1');">{$theresult}</li>
html;

Edited May 5, 2013 by jcg31

[mac_gyver]

all the places $result->ProspectName is used must be replaced with $theresult. the single quote in the $result->ProspectName value is breaking the javascript syntax.