CODEWITHSUNDEEP
phpjquerymysqlmysqlicontenteditable
user1784025
user1784025

Reputation: 195

Save data from contentEditable div with mysqli

I'm trying to save data from contentEditable div to mySql DB. But it seems that '+' symbol cannot be stored in DB. Is this right concept or am I missing something?

index.php

<div id="la_sent" contentEditable=true></div>
<button class="saveChanges">Save changes</button>

script.js

$(document).ready(function(){
  $( ".saveChanges" ).click(function() {
      content = $('#la_sent').html();
      dataUrl = "iid=1&content="+content;
      $.ajax({
        url:"ajax.php",
        type:"POST",
        data:dataUrl,
        success:function(data){
            ...
      }});
  }); 
});

ajax.php

$type = $_POST['iid'];
$content = $_POST['content'];
$mysqli=connect_database(); //connection to database
$stmt = $mysqli->prepare('UPDATE email_structure SET content = ? WHERE type = ?');
$stmt->bind_param('ss', $content, $type);
$ress = $stmt->execute();
$stmt->close();
$mysqli->close();
echo "OK";

For example: If I write in div element string 'a+b+c' it adds in DB string 'a b c '. Any idea why?

Upvotes: 3

Views: 1377

Answers (2)

Jeribo
Jeribo

Reputation: 465

Plus signs get replaced as spaces by default so you have to encode them first.

encodeUriComponent is one way to do it in javascript

So editing your script.js to pass content variable through encodeURIComponent before appending it to datUrl should do the trick.

$(document).ready(function(){
  $( ".saveChanges" ).click(function() {
      content = $('#la_sent').html();
      dataUrl = "iid=1&content="+encodeURIComponent(content);  //encode content variable
      $.ajax({
        url:"ajax.php",
        type:"POST",
        data:dataUrl,
        success:function(data){
            ...
      }});
  }); 
});

Upvotes: 3

bren
bren

Reputation: 4334

For security purposes, you should ALWAYS escape your text, before you plug it into your database (search with, store, etc.) See php's mysqli_real_escape_string to do this. Even though you are using prepared statements, you should still escape your characters.

If it's really a problem, you could replace the + with another character and, then replace it back when you are retrieving from the DB

Upvotes: 0

Related Questions