skipping special character when passing through get request

Question

This is the js\jquery function which is requesting

function AssignWork(){
    var projectId = $jq(".dmProjName").val(),
        empId = $jq(".nameEmp").val(),
        assignWork = $jq(".workDescription").val(),
        workDate = $jq(".workDate").val();
    var go_path = "Employee_Switch_Person.php?action=assignWork&vars=4&var1="+empId+"&var2="+projectId+"&var3="+assignWork+"&var4="+workDate;
    $jq.get(go_path,{},function(data){
        if(data ==1){
            alert("Successfully Assigned!");
            showAssignWork(0);
        }
    });
}

this is php

function assignWork($empId,$projectId,$assignWork,$workDate){
    //echo $workDate;
    global $con;
    date_default_timezone_set("Asia/Karachi");
    //echo "date format".date('Y-m-d H:i:s');
    //echo $empId.",".$projectId.",".$assignWork.",".$workDate;
    $sql = "INSERT INTO `tblempassignwork` (`EmpId`, `AssignWork`, `AssignById`, `ProjectId`, `WorkDate`, `AssignDateTime`)
          VALUES($empId,'".$assignWork."',".$_COOKIE["userID"].",".$projectId.",'".$workDate."','".date('Y-m-d H:i:s')."')";
    $result = mysql_query($sql,$con) or die(mysql_error());
    echo $result;
}

problem is that

 assignWork = $jq(".workDescription").val()

can contain a string with double quote, single quote, hash or any special character. if i use single quote or hash then it is showing

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's and makes some examples',3,77,'2015-05-08','2015-05-08 09:51:17')' at line 2

cause i have type single quote in string. so how can i skip special character when passing through get request.

score 0 · Answer 1 · answered May 08 '15 at 05:04

0

In the jQuery, you can replace all the non-alphanumeric characters with -

assignWork=assignWork.trim().replace(/[^a-z0-9]+/gi, '-');

Or you can replace it with whitespace or what ever suites your program the best :)

answered May 08 '15 at 05:04

Manikiran

2,618
1
23
39

what will i do when i retrieve this data again – Mohammad Faizan khan May 08 '15 at 05:13
You can have a backup variable say `var assignWork_original=assignWork` And then you can do the above trimming – Manikiran May 08 '15 at 05:14

score 0 · Answer 2 · edited May 23 '17 at 11:58

0

If you want to exclude special characters

solution is already in stackoverflow javascript regexp remove all special characters

var outString = sourceString.replace(/[`~!@#$%^&*()_|+\-=?;:'",.<>\{\}\[\]\\\/]/gi, '');

edited May 23 '17 at 11:58

Community

1
1

answered May 08 '15 at 05:06

gaurav bhavsar

2,033
2
22
36

what will i do when i retrieve this data again – Mohammad Faizan khan May 08 '15 at 05:13
once you replace the character of any string its hard to retrieve again. you have to store that value in somewhere. If you want value for temporary then store in session variable. – gaurav bhavsar May 08 '15 at 05:19

score 0 · Answer 3 · edited May 23 '17 at 12:21

0

Change this:

assignWork = $jq(".workDescription").val(),

To this:

assignWork = escape($jq(".workDescription").val()),

IMHO isn't safe to store te unscaped string in your database, and when you read it back in javascript, you cand just "unescape" it.

JavaScript unescape() Function

otherwise, if you want to, just decode it in the PHP using:

$assignWork = urldecode($assignWork);

Javascript's “unescape” in PHP

edited May 23 '17 at 12:21

Community

1
1

answered May 08 '15 at 05:13

KodornaRocks

425
3
14

i use escap but problem still persist when i use single quote in WorkDescription string – Mohammad Faizan khan May 08 '15 at 05:21

skipping special character when passing through get request

3 Answers3