I'm building a form that has a look-ahead input box (using jQuery UI). The input chosen (in this case, bands) is sent to the database via Ajax, then displayed below the input box in either a Plaintiff, Defendant, or Other bin.
For 90% of the cases, it works just fine, asynchronously glorious. The issue arises when a band happens to have quotes or an apostrophe in it. I'm escaping the characters with mysql_real_escape_string
in my PHP form handler, but the problem appears to be originating when the data is Ajax'd over.
description=Watts, Michael "5000" becomes description=Watts%2C+Michael+%225000%22.
Here's my jQuery code (nothing fancy, just the serialization) and my PHP code. Note that it works just fine if I manually enter description=Watts, Michael "5000"
into my PHP file (as in, it can grab the data that it otherwise cannot).
jQuery code:
$('#party_add').live('click', function(){
//grab the form
var thisform=$(this).parents('form');
//serialize the data
var toSend=thisform.serialize();
//add the caseID we stored in #caseId
var storedCaseId=$('#caseId').text();
toSend=toSend+'&caseId='+storedCaseId;
$.ajax({
type : "POST",
url : 'cases_form_handl开发者_如何学编程er.php',
data : toSend,
dataType:'json',
success : function(data){
alert(toSend);
//conjure the relevant parties into their respective places in the table below with some sexy json action
$('.party').empty();
for(var x=0; x < data.length; x++){
if(data[x].partyType==1){
$('.party:first').append('<span class=party_addition id='+data[x].partyId+'>'+data[x].description+'</span><br/>');
}else{
//if defendant, put them in the defendant box
if(data[x].partyType==2){
$('.party:first').next('.party').append('<span class=party_addition id='+data[x].partyId+'>'+data[x].description+'</span><br/>');
}else{
//if other, put them in the other box
if(data[x].partyType==3){
$('.party:first').next('.party').next('.party').append('<span class=party_addition id='+data[x].partyId+'>'+data[x].description+'</span><br/>');
}
}
}
}
}
});
PHP code and failing SQL call:
$description=mysql_real_escape_string($_POST['description']);
$sql="SELECT id FROM varParties WHERE description='$description'";
$result=mysql_query($sql);
while($row=mysql_fetch_assoc($result)){
$partyId=$row['id'];
}
UPDATE:
Here's the json portion of my php
$sql = "SELECT varParties.*,relCasesParties.partyType,relCasesParties.active FROM varParties INNER JOIN relCasesParties ON relCasesParties.partyId = varParties.id WHERE relCasesParties.caseId = '$caseId' AND relCasesParties.active='1'";
//build array of results
$query=mysql_query($sql);
for ($x = 0, $numrows = mysql_num_rows($query); $x < $numrows; $x++) {
$row = mysql_fetch_assoc($query);
$parties[$x] = array('description'=>$row['description'],'partyId'=>$row['id'],'partyType'=>$row['partyType']);
}
//send it back
echo json_encode($parties);
Where would I use htmlentities?
Use
$description=mysql_real_escape_string(urldecode($_POST['description']));
Now, when it's visible, that you are trying to output JSON string, the answer is different.
for the loop use:
for ($x = 0, $numrows = mysql_num_rows($query); $x < $numrows; $x++) {
$row = mysql_fetch_assoc($query);
$parties[$x] = array('description'=>addcslashes($row['description'],'"'),'partyId'=>$row['id'],'partyType'=>$row['partyType']);
}
精彩评论