jcg31 Posted May 4, 2013 Share Posted May 4, 2013 (edited) I am using some code that I have seen on a number of forums to search a database using ajax and return a result from the `ProspectName` field (written by Amit Sarwara and apparently working fine for others) . All works fine until the name of the prospect contains an apostrophe. Advice from another forum suggested using addslashes with the result $theresult=addslashes($result->ProspectName); echo <<<html <li onClick="fill('{$result->ProspectName}','{$result->id}','{$result->assignedrep}','1');">{$theresult}</li> html; and while that added the slash it didn't resolve the issue. the attachment to this post provides firebug's feedback. Any help would be apprecitated. Thanks, Jim Here is the code: <?php // PHP5 Implementation - uses MySQLi. // Written by Amit Sarwara // mysqli('localhost', 'yourUsername', 'yourPassword', 'yourDatabase'); $db = new mysqli('127.0.0.1', 'root' ,'', 'progadad'); if(!$db) { // Show error if we cannot connect. echo 'ERROR: Could not connect to the database.'; } else { // Is there a posted query string? if(isset($_POST['queryString'])) { $queryString = $db->real_escape_string($_POST['queryString']); // Is the string length greater than 0? if(strlen($queryString) >0) { // Run the query: We use LIKE '$queryString%' // The percentage sign is a wild-card, in my example of countries it works like this... // $queryString = 'Uni'; // Returned data = 'United States, United Kindom'; // YOU NEED TO ALTER THthE QUERY TO MATCH YOUR DATABASE. // eg: SELECT yourColumnName FROM yourTable WHERE yourColumnName LIKE '$queryString%' LIMIT 10 $query = $db->query("SELECT id, ProspectName, prospectorFullName, assignedrep FROM captureddata WHERE ProspectName LIKE '$queryString%' LIMIT 8"); if($query) { // While there are results loop through them - fetching an Object (i like PHP5 btw!). while ($result = $query ->fetch_object()) { // Format the results, im using <li> for the list, you can change it. // The onClick function fills the textbox with the result. // YOU MUST CHANGE: $result->value to $result->your_colum echo <<<html <li onClick="fill('{$result->ProspectName}','{$result->id}','{$result->assignedrep}','1');">{$result->ProspectName}</li> html; } } else { echo 'ERROR: There was a problem with the query.'; } } else { // Dont do anything. } // There is a queryString. } else { echo 'There should be no direct access to this script!'; } } ?> Edited May 4, 2013 by jcg31 Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted May 4, 2013 Share Posted May 4, 2013 you need to use htmlentities() on any "content" that you output that may contain characters that have meaning in the html/javascript context they are being output in. Quote Link to comment Share on other sites More sharing options...
jcg31 Posted May 5, 2013 Author Share Posted May 5, 2013 (edited) you need to use htmlentities() on any "content" that you output that may contain characters that have meaning in the html/javascript context they are being output in. I gave htmlentites a shot in the following manner. Same result, what am I doing wrong? $theresult= htmlentities($result->ProspectName,ENT_QUOTES); echo <<<html <li onClick="fill('{$result->ProspectName}','{$result->id}','{$result->assignedrep}','1');">{$theresult}</li> html; Edited May 5, 2013 by jcg31 Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted May 6, 2013 Share Posted May 6, 2013 all the places $result->ProspectName is used must be replaced with $theresult. the single quote in the $result->ProspectName value is breaking the javascript syntax. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.