Question

i have this form:

<form name="myForm" action="#">
     <input type="text" name="firstField" />
     <input type="text" name="secondField" />
     <input type="submit" name="submitButton" />
</form>

and i have an ajax request:

$('input[type="submit"]').click(function(){
       var serialized = $('form').serialize();
       //ajax request
       $.ajax({
                type : "POST",
                url : "takeAction.php",
                data : serialized,
                succes : function(){
                    alert('done');
                }
       }); 
});

the problem is that if any of my fields value contains "'", like (who's the boss) my ajax request fails to complete (i'm trying to update an mysql row but the code fails, i get no error just that my row is not updated). i know that it's something about quotes but i don;t know how to do it. thanks

Was it helpful?

Solution

The problem is in your PHP code on the server, not in your HTML or JavaScript.

You're probably writing the submitted data values directly into an SQL query, yes?:

$query = sprintf("SELECT * FROM users WHERE user='%s'", $user);

You need to either use prepared statements, or use mysql_real_escape_string() to escape your values:

$query = sprintf("SELECT * FROM users WHERE user='%s'",
                  mysql_real_escape_string($user));
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top