Jump to content

Sending Quote - Ajax


alidayan

Recommended Posts

Hi,

I am trying to send input Don't, can't or anything else which contains '. But Ajax sends it like: t_name=Don%27t&_=1589636831048 and then I got an error while trying to insert to mysql. I only have problem with '. I tried lots of thing but something is missing. I couldn't figure it out. Could somebody help me?

My Ajax:

var t_name = document.getElementById(mydiv).value;
$.ajax(
            {
                type: "GET",
                url: './api/objects/add.php',
                async:false,
                cache:false,
                contentType: "application/x-www-form-urlencoded;charset=ISO-8859-1",
                dataType: 'json',
                data: {
                    t_tsk: id,
                    t_name: t_name
                },
                success: function (result) {
                    
                },
                error: function(xhr, status, error) {
                    document.getElementById("errorDiv").hidden = false;
                	if (xhr.responseText) {
                		
                	} else {
                        
                    }
                }
            });

 My url when I write don't to input area: /add.php?t_tsk=1&t_name=Don%27t&_=1589636831048

My php code:

<?php
    // include database and object files
    include_once '../config/database.php';
    include_once '../objects/myObject.php';
     
    // get database connection
    $database = new Database();
    $db = $database->getConnection();
    
        $myObject = new MyObject($db);
        $myObject->t_id = isset($_GET['t_tsk']) ? $_GET['t_tsk'] : die();
        $myObject->name = isset($_GET['t_name']) ? utf8_decode($_GET['t_name']) : die();
        
        if($myObject->create()){
            http_response_code(200);
            $myObject_arr=array(
                "status" => true,
                "message" => "Successfully created!",
                "id" => $myObject->id,
                "name" => $myObject->name
            );
        }
        else{
            http_response_code(401);
            $myObject_arr=array(
                "status" => false,
                "message" => "Error!"
            );
        }
    print_r(json_encode($myObject_arr));
?>

Thank you all.

Link to comment
Share on other sites

2 hours ago, Barand said:

Build your query string with http_build_query()


$vals = [ 'id' => 123,
          'name' => "Don't do that!"
        ];
$qstr = http_build_query($vals);

 

How to do this inside javascript?

3 hours ago, gw1500se said:

Thank you but I have problem while sending json data to PHP i think.

 

1 hour ago, mac_gyver said:

what exactly is the error you are getting and what is your database specific code that's using the submitted value?

This is what oResponse = JSON.parse(xhr.responseText); gives me: [object Object]. And php sends error while trying to insert data to mysql

 

<?php
    class Subtasks{
      
        // database connection and table name
        private $conn;
        private $table_name = "myExmpTable";
      
        public $t_id;
        public $name;
      
        // constructor with $db as database connection
        public function __construct($db){
            $this->conn = $db;
        }
      
		function create(){
			$query = "INSERT INTO  ". $this->table_name ." 
                        (id, name)
                  VALUES
                        ('".$this->t_id."', '".$this->name."')";
    
            // prepare query
            $stmt = $this->conn->prepare($query);
        
            // execute query
            if($stmt->execute()){
                $this->id = $this->conn->lastInsertId();
                return true;
            }
            return false;
    	}
	}
?>

 

Link to comment
Share on other sites

18 minutes ago, alidayan said:

$query = "INSERT INTO ". $this->table_name ." (id, name) VALUES ('".$this->t_id."', '".$this->name."')";

do NOT put external, unknown, dynamic values directly into an sql query statement, since any sql special characters in the values will break the sql query syntax. use a (proper) prepared query, with a ? place-holder in the sql query statement for each value, then supply the values as an array to the execute([...]) call.

Link to comment
Share on other sites

5 minutes ago, mac_gyver said:

do NOT put external, unknown, dynamic values directly into an sql query statement, since any sql special characters in the values will break the sql query syntax. use a (proper) prepared query, with a ? place-holder in the sql query statement for each value, then supply the values as an array to the execute([...]) call.

Thank you I will try to do like that.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.