Jump to content

Sending Quote - Ajax

alidayan

By alidayan
in PHP Coding Help

 Share

Recommended Posts

alidayan Member

alidayan

Posted
Posted

Hi,

I am trying to send input Don't, can't or anything else which contains '. But Ajax sends it like: t_name=Don%27t&_=1589636831048 and then I got an error while trying to insert to mysql. I only have problem with '. I tried lots of thing but something is missing. I couldn't figure it out. Could somebody help me?

My Ajax: 

var t_name = document.getElementById(mydiv).value;
$.ajax(
            {
                type: "GET",
                url: './api/objects/add.php',
                async:false,
                cache:false,
                contentType: "application/x-www-form-urlencoded;charset=ISO-8859-1",
                dataType: 'json',
                data: {
                    t_tsk: id,
                    t_name: t_name
                },
                success: function (result) {
                    
                },
                error: function(xhr, status, error) {
                    document.getElementById("errorDiv").hidden = false;
                	if (xhr.responseText) {
                		
                	} else {
                        
                    }
                }
            });

 My url when I write don't to input area: /add.php?t_tsk=1&t_name=Don%27t&_=1589636831048

My php code: 

<?php
    // include database and object files
    include_once '../config/database.php';
    include_once '../objects/myObject.php';
     
    // get database connection
    $database = new Database();
    $db = $database->getConnection();
    
        $myObject = new MyObject($db);
        $myObject->t_id = isset($_GET['t_tsk']) ? $_GET['t_tsk'] : die();
        $myObject->name = isset($_GET['t_name']) ? utf8_decode($_GET['t_name']) : die();
        
        if($myObject->create()){
            http_response_code(200);
            $myObject_arr=array(
                "status" => true,
                "message" => "Successfully created!",
                "id" => $myObject->id,
                "name" => $myObject->name
            );
        }
        else{
            http_response_code(401);
            $myObject_arr=array(
                "status" => false,
                "message" => "Error!"
            );
        }
    print_r(json_encode($myObject_arr));
?>

Thank you all.

Link to comment
Share on other sites
alidayan Member

alidayan

Posted
  • Author
Posted
2 hours ago, Barand said:

Build your query string with http_build_query() 


$vals = [ 'id' => 123,
          'name' => "Don't do that!"
        ];
$qstr = http_build_query($vals);

 

How to do this inside javascript?

3 hours ago, gw1500se said:

https://www.php.net/manual/en/function.htmlentities.php

Thank you but I have problem while sending json data to PHP i think.

 

1 hour ago, mac_gyver said:

what exactly is the error you are getting and what is your database specific code that's using the submitted value?

This is what oResponse = JSON.parse(xhr.responseText); gives me: [object Object]. And php sends error while trying to insert data to mysql

  

<?php
    class Subtasks{
      
        // database connection and table name
        private $conn;
        private $table_name = "myExmpTable";
      
        public $t_id;
        public $name;
      
        // constructor with $db as database connection
        public function __construct($db){
            $this->conn = $db;
        }
      
		function create(){
			$query = "INSERT INTO  ". $this->table_name ." 
                        (id, name)
                  VALUES
                        ('".$this->t_id."', '".$this->name."')";
    
            // prepare query
            $stmt = $this->conn->prepare($query);
        
            // execute query
            if($stmt->execute()){
                $this->id = $this->conn->lastInsertId();
                return true;
            }
            return false;
    	}
	}
?>

 

Link to comment
Share on other sites
mac_gyver Prolific Member

mac_gyver

Posted
Posted
18 minutes ago, alidayan said:

$query = "INSERT INTO ". $this->table_name ." (id, name) VALUES ('".$this->t_id."', '".$this->name."')";

do NOT put external, unknown, dynamic values directly into an sql query statement, since any sql special characters in the values will break the sql query syntax. use a (proper) prepared query, with a ? place-holder in the sql query statement for each value, then supply the values as an array to the execute([...]) call.

Link to comment
Share on other sites
alidayan Member

alidayan

Posted
  • Author
Posted
5 minutes ago, mac_gyver said:

do NOT put external, unknown, dynamic values directly into an sql query statement, since any sql special characters in the values will break the sql query syntax. use a (proper) prepared query, with a ? place-holder in the sql query statement for each value, then supply the values as an array to the execute([...]) call.

Thank you I will try to do like that.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.