alidayan Posted May 16, 2020 Share Posted May 16, 2020 Hi, I am trying to send input Don't, can't or anything else which contains '. But Ajax sends it like: t_name=Don%27t&_=1589636831048 and then I got an error while trying to insert to mysql. I only have problem with '. I tried lots of thing but something is missing. I couldn't figure it out. Could somebody help me? My Ajax: var t_name = document.getElementById(mydiv).value; $.ajax( { type: "GET", url: './api/objects/add.php', async:false, cache:false, contentType: "application/x-www-form-urlencoded;charset=ISO-8859-1", dataType: 'json', data: { t_tsk: id, t_name: t_name }, success: function (result) { }, error: function(xhr, status, error) { document.getElementById("errorDiv").hidden = false; if (xhr.responseText) { } else { } } }); My url when I write don't to input area: /add.php?t_tsk=1&t_name=Don%27t&_=1589636831048 My php code: <?php // include database and object files include_once '../config/database.php'; include_once '../objects/myObject.php'; // get database connection $database = new Database(); $db = $database->getConnection(); $myObject = new MyObject($db); $myObject->t_id = isset($_GET['t_tsk']) ? $_GET['t_tsk'] : die(); $myObject->name = isset($_GET['t_name']) ? utf8_decode($_GET['t_name']) : die(); if($myObject->create()){ http_response_code(200); $myObject_arr=array( "status" => true, "message" => "Successfully created!", "id" => $myObject->id, "name" => $myObject->name ); } else{ http_response_code(401); $myObject_arr=array( "status" => false, "message" => "Error!" ); } print_r(json_encode($myObject_arr)); ?> Thank you all. Quote Link to comment Share on other sites More sharing options...
gw1500se Posted May 16, 2020 Share Posted May 16, 2020 https://www.php.net/manual/en/function.htmlentities.php Quote Link to comment Share on other sites More sharing options...
Barand Posted May 16, 2020 Share Posted May 16, 2020 Build your query string with http_build_query() $vals = [ 'id' => 123, 'name' => "Don't do that!" ]; $qstr = http_build_query($vals); Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted May 16, 2020 Share Posted May 16, 2020 2 hours ago, alidayan said: an error while trying to insert to mysql. what exactly is the error you are getting and what is your database specific code that's using the submitted value? Quote Link to comment Share on other sites More sharing options...
alidayan Posted May 16, 2020 Author Share Posted May 16, 2020 2 hours ago, Barand said: Build your query string with http_build_query() $vals = [ 'id' => 123, 'name' => "Don't do that!" ]; $qstr = http_build_query($vals); How to do this inside javascript? 3 hours ago, gw1500se said: https://www.php.net/manual/en/function.htmlentities.php Thank you but I have problem while sending json data to PHP i think. 1 hour ago, mac_gyver said: what exactly is the error you are getting and what is your database specific code that's using the submitted value? This is what oResponse = JSON.parse(xhr.responseText); gives me: [object Object]. And php sends error while trying to insert data to mysql <?php class Subtasks{ // database connection and table name private $conn; private $table_name = "myExmpTable"; public $t_id; public $name; // constructor with $db as database connection public function __construct($db){ $this->conn = $db; } function create(){ $query = "INSERT INTO ". $this->table_name ." (id, name) VALUES ('".$this->t_id."', '".$this->name."')"; // prepare query $stmt = $this->conn->prepare($query); // execute query if($stmt->execute()){ $this->id = $this->conn->lastInsertId(); return true; } return false; } } ?> Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted May 16, 2020 Share Posted May 16, 2020 18 minutes ago, alidayan said: $query = "INSERT INTO ". $this->table_name ." (id, name) VALUES ('".$this->t_id."', '".$this->name."')"; do NOT put external, unknown, dynamic values directly into an sql query statement, since any sql special characters in the values will break the sql query syntax. use a (proper) prepared query, with a ? place-holder in the sql query statement for each value, then supply the values as an array to the execute([...]) call. Quote Link to comment Share on other sites More sharing options...
alidayan Posted May 16, 2020 Author Share Posted May 16, 2020 5 minutes ago, mac_gyver said: do NOT put external, unknown, dynamic values directly into an sql query statement, since any sql special characters in the values will break the sql query syntax. use a (proper) prepared query, with a ? place-holder in the sql query statement for each value, then supply the values as an array to the execute([...]) call. Thank you I will try to do like that. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.