sql update statement including & and line break

Question

I'm using this update statement

$sql = "update questions set response = ?, `check` = ? where questionID = ? && starID = ?";
$qc = $pdo_conn->prepare($sql);
$qc->execute(array($_GET['response'], $_GET['check'], $_GET['questionID'], $_SESSION['starid']));

But when the response value has an & in it, like pop and r&b, it ends up in the database as pop and r.

also if there is a line break it takes out all of the spaces, like:

Bob
Jim

ends up in the database as BobJim

The response type in the database is varchar(10000)

here is the javascript code that gets the $_GET['response'] value

var html = '';
$(document).ready(function(){
    $(".save_btn").live('click', function() {

        $('.response').each(function(){
            //alert($(this).attr('id'));
            //alert($(this).val());
            if ($(this).val() == '') {
                html = $.ajax({
                    url: "response.php?questionID=" + $(this).attr('id') + "&response=" + $(this).val() + "&check=0",
                    async: false
                }).responseText;
            }   
            if ($(this).val() !== '') {
                html = $.ajax({
                    url: "response.php?questionID=" + $(this).attr('id') + "&response=" + $(this).val($POST['response']) + "&check=1",
                    async: false
                }).responseText;
            }   

        }); 
        alert(html);
        location.reload();  
    });
})

this part of the if is the important part in this case:

       if ($(this).val() !== '') {
            html = $.ajax({
                url: "response.php?questionID=" + $(this).attr('id') + "&response=" + $(this).val($POST['response']) + "&check=1",
                async: false
            }).responseText;
        }

Any ideas on how to fix this?

Answer 1

You should encode your value for URL:

escape($(this).val())

The & has a special meaning in a URL, it is used as a separator between paramaters.