CODEWITHSUNDEEP
javascriptphpjquerymysqlajax
Marcus
Marcus

Reputation: 425

How do I save special characters from a textfield ('+<>$") into a database, then retrieve them with PHP?

I have a textarea created for a personal message, with a subject. It is passed to a Javascript/jQuery function, which passes it to a PHP file to store in the database. However, when special characters such as the ampersand, less than, greater than, apostrophe, plus sign, and quotations are used, it doesn't store correctly in my database. So without saying, when I retrieve the data, the data is not displayed properly.

Here is the HTML:

 <input id="pmsubject" placeholder="Subject"><br />
 <textarea id="pmtext" placeholder="Send a private message"></textarea>
 <button id="pmBtn" onclick="postPm(pmsubject,pmtext)">Send</button>

Here is the Javascript/jQuery (partial):

function postPm(subject,textarea){
    var data = $("#textarea").val();
    var data2 = $("#subject").val();

I do some error checking and handling then send my information with AJAX:

type: "POST",
url: "pm_system.php",
data:"data="+data+"&data2="+data2,

So far so good right? Here is the pm_system.php portion where I store the code:

$data = htmlentities($_POST['data']);
$data = mysqli_real_escape_string($db_con, $data);
$data2 = htmlentities($_POST['data2']);
$data2 = mysqli_real_escape_string($db_con, $data2);

$sql = "INSERT INTO pm(subject, message) 
        VALUES('$data2','$data')";
$query = mysqli_query($db_con, $sql);
mysqli_close($db_con);

So if I write a message that says, I'm a big fan of cats + dogs & "sometimes" birds. My output would be:

I\'m a big fan of cats   dogs

It always puts slashes in front of quotations and apostrophes, always replaces + sign with a space, and nothing follows after an ampersand sign. I've tried replacing the characters like this in Javascript:

data = data.replace(/\"/g, '&quot;'); //Just using one for example

But that doesn't work either. How do I save these characters from a textarea in a database, unaltered?

Upvotes: 1

Views: 2488

Answers (2)

youngfella
youngfella

Reputation: 23

I'd suggest trying htmlspecialchars() instead of htmlentities(). I've had some troubles with htmlentities() and outputting the data in the past. Using htmlspecialchars() solved it.

Upvotes: 0

2ndkauboy
2ndkauboy

Reputation: 9387

I would guess, that the data you receive through your JavaScript function is already escaped. So when you enter I'm a big fan of cats dog you get I\'m a big fan of cats dogs in your PHP script. When you than use mysqli_real_escape() you are adding another escape character.

So you might want to replace the escape character before:

$data = stripslashes($_POST['data']);
$data = mysqli_real_escape_string($db_con, $data);
$data2 = stripslashes($_POST['data2']);
$data2 = mysqli_real_escape_string($db_con, $data2);

$sql = "INSERT INTO pm(subject, message) 
        VALUES('$data2','$data')";
$query = mysqli_query($db_con, $sql);
mysqli_close($db_con);

I would not recommend to use htmlentities() but save the data "as is" into the database as otherwise things like full text searches don't work correctly.

The issue with the + sign is probably because you send the values as a query string data:"data="+data+"&data2="+data2 and in a URL, a + sign is used for a space. To fix that, you should rather pass the data as an object:

type: "POST",
url: "pm_system.php",
data: { "data": data, "data2": data2 },

That should fix also most of the other problematic characters.

Upvotes: 2

Related Questions