Sending Quote - Ajax

[alidayan]

Hi,

I am trying to send input Don't, can't or anything else which contains '. But Ajax sends it like: t_name=Don%27t&_=1589636831048 and then I got an error while trying to insert to mysql. I only have problem with '. I tried lots of thing but something is missing. I couldn't figure it out. Could somebody help me?

My Ajax:

var t_name = document.getElementById(mydiv).value;
$.ajax(
            {
                type: "GET",
                url: './api/objects/add.php',
                async:false,
                cache:false,
                contentType: "application/x-www-form-urlencoded;charset=ISO-8859-1",
                dataType: 'json',
                data: {
                    t_tsk: id,
                    t_name: t_name
                },
                success: function (result) {
                    
                },
                error: function(xhr, status, error) {
                    document.getElementById("errorDiv").hidden = false;
                	if (xhr.responseText) {
                		
                	} else {
                        
                    }
                }
            });

 My url when I write don't to input area: /add.php?t_tsk=1&t_name=Don%27t&_=1589636831048

My php code:

<?php
    // include database and object files
    include_once '../config/database.php';
    include_once '../objects/myObject.php';
     
    // get database connection
    $database = new Database();
    $db = $database->getConnection();
    
        $myObject = new MyObject($db);
        $myObject->t_id = isset($_GET['t_tsk']) ? $_GET['t_tsk'] : die();
        $myObject->name = isset($_GET['t_name']) ? utf8_decode($_GET['t_name']) : die();
        
        if($myObject->create()){
            http_response_code(200);
            $myObject_arr=array(
                "status" => true,
                "message" => "Successfully created!",
                "id" => $myObject->id,
                "name" => $myObject->name
            );
        }
        else{
            http_response_code(401);
            $myObject_arr=array(
                "status" => false,
                "message" => "Error!"
            );
        }
    print_r(json_encode($myObject_arr));
?>

Thank you all.

[gw1500se]

https://www.php.net/manual/en/function.htmlentities.php

[Barand]

Build your query string with http_build_query()

$vals = [ 'id' => 123,
          'name' => "Don't do that!"
        ];
$qstr = http_build_query($vals);

 

[mac_gyver]

2 hours ago, alidayan said:

an error while trying to insert to mysql.

what exactly is the error you are getting and what is your database specific code that's using the submitted value?

[alidayan]

2 hours ago, Barand said:

Build your query string with http_build_query()

$vals = [ 'id' => 123,
          'name' => "Don't do that!"
        ];
$qstr = http_build_query($vals);

 

How to do this inside javascript?

3 hours ago, gw1500se said:

https://www.php.net/manual/en/function.htmlentities.php

Thank you but I have problem while sending json data to PHP i think.

 

1 hour ago, mac_gyver said:

what exactly is the error you are getting and what is your database specific code that's using the submitted value?

This is what oResponse = JSON.parse(xhr.responseText); gives me: [object Object]. And php sends error while trying to insert data to mysql

 

<?php
    class Subtasks{
      
        // database connection and table name
        private $conn;
        private $table_name = "myExmpTable";
      
        public $t_id;
        public $name;
      
        // constructor with $db as database connection
        public function __construct($db){
            $this->conn = $db;
        }
      
		function create(){
			$query = "INSERT INTO  ". $this->table_name ." 
                        (id, name)
                  VALUES
                        ('".$this->t_id."', '".$this->name."')";
    
            // prepare query
            $stmt = $this->conn->prepare($query);
        
            // execute query
            if($stmt->execute()){
                $this->id = $this->conn->lastInsertId();
                return true;
            }
            return false;
    	}
	}
?>

 

[mac_gyver]

18 minutes ago, alidayan said:

$query = "INSERT INTO ". $this->table_name ." (id, name) VALUES ('".$this->t_id."', '".$this->name."')";

do NOT put external, unknown, dynamic values directly into an sql query statement, since any sql special characters in the values will break the sql query syntax. use a (proper) prepared query, with a ? place-holder in the sql query statement for each value, then supply the values as an array to the execute([...]) call.

[alidayan]

5 minutes ago, mac_gyver said:

do NOT put external, unknown, dynamic values directly into an sql query statement, since any sql special characters in the values will break the sql query syntax. use a (proper) prepared query, with a ? place-holder in the sql query statement for each value, then supply the values as an array to the execute([...]) call.

Thank you I will try to do like that.