1

Hopefully just a quick one, I can see various answers to my problem but finding it difficult to implement into my code. As the title says, looking to allow apostrophes when posting data to MySQL using ajax and javascript. When submitting data just now, it doesn't work.

Hoping someone can finalise the code to make this work.

HTML

<!-- Modal - Add New Record/Info -->
<div class="modal fade" id="add_new_record_modal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel">
<div class="modal-dialog" role="document">
    <div class="modal-content">
        <div class="modal-header">
            <button type="button" class="close" data-dismiss="modal" aria-label="Close"><span aria-hidden="true">&times;</span></button>
            <h4 class="modal-title" id="myModalLabel">Add some useful information</h4>
        </div>
        <div class="modal-body">

            <div class="form-group">
                <label for="add_info">Add Info</label>
                <input type="text" id="info" class="form-control"/>
            </div>

        </div>
        <div class="modal-footer">
            <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
            <button type="button" class="btn btn-primary" onclick="addRecord()">Add Record</button>
        </div>
    </div>
</div>
</div>
<!-- // Modal -->

Javascript

// Add Record
function addRecord() {
    // get values
    var info = $("#info").val();

    // Add record
    $.post("ajax/addRecord.php", {
        info: info
    }, function (data, status) {
        // close the popup
        $("#add_new_record_modal").modal("hide");

        // read records again
        readRecords();

        // clear fields from the popup
        $("#info").val("");
    });
}

Ajax - addRecord.php

<?php
    if(isset($_POST['info']))
    {
            // include Database connection file
            include("db_connection.php");

            // get values
            $info = $_POST['info'];

            $query = "INSERT INTO useful_info(info) VALUES('$info')";
            if (!$result = mysql_query($query)) {
            exit(mysql_error());
        }
        echo "1 Record Added!";
    }
?>

From reading other questions on the site, I can either use get_magic_quotes_gpc or by creating a JSON object and use JSON.stringify. Just wondering how best to achieve this.

Any help would be appreciated.

Kev
  • 113
  • 1
  • 13
  • 3
    You are basically breaking your query by sql injecting yourself. The only valid solution here is to change from using mysql_* to to PDO or Mysqli and use prepared/parameterized queries. – JimL Jan 14 '17 at 20:07

2 Answers2

0

As per @JimL's comment, you should switch over to mysqli or PDO and use parametrized queries, as the mysql extension is deprecated.

Eg (PDO):

$stmt = $pdo->prepare("INSERT INTO useful_info(info) VALUES(?)");
if (!$stmt->execute([$info])) {
  exit(implode(" :: ", $stmt->errorInfo()));
}
Community
  • 1
  • 1
Bigdot
  • 81
  • 4
0

As others have mentionned, both mysql_ fonctions and get_magic_quotes_gpc are way outdated. I know this can be overwhelming at first but I recommend this wiki, which really did help put me on the right track when I myself switched from using mysqli_ without prepared statements to PDO with prepared statements. You won't regret it, it's both safer and easier to use and, as long as you're using it properly, you don't have to fiddle with apostrophes, etc. You just insert the data as is in the database and you're fine as far as sql injection goes (doesn't mean you don't have to care about user inputed data when displaying them back though, but that's another matter).

caml
  • 26
  • 1
  • 4