-1

Hi today I made a dynamic select option menu with PHP and AJAX which is working totally fine, but when selecting a option with -> ' <- inside the word, it gives me no result. I really don't why it's showing nothing.

Here is a link to the example which I've build: EXAMPLE

This is what I use to get the second result:

<?php
if(isset($_POST['get_option']))
{
    require("../config.php");
    $country = mysqli_real_escape_string($mysqli, $_POST['get_option']);
    $find = mysqli_query($mysqli, "SELECT `league` FROM `teams` WHERE `country`='$country' GROUP BY `league`");
    while ($row = mysqli_fetch_array($find))
    {
        echo "<option>".$row['league']."</option>";
    }
    exit;
}
?>

Screenshot of the database

VMAtm
  • 27,943
  • 17
  • 79
  • 125
Roberto
  • 1
  • 2
  • 1
    Your code is vulnerable to [**SQL injection attacks**](https://en.wikipedia.org/wiki/SQL_injection). You should use [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) prepared statements with bound parameters as described in [**this post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). – Alex Howansky Apr 17 '17 at 18:20
  • 1
    Possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Qirel Apr 17 '17 at 18:20
  • You need to post your ajax+html code instead this one – Оzgur Apr 17 '17 at 18:21

1 Answers1

0

You need to escape the apostrophe sign, otherwise the string resolves in an unexpected termination, for example:

WHERE country = 'Women's Day'

A better approach is to send the country's id instead of string by setting the value of it in each select option, something like:

<option value="23">Australia</option>
<option value="24">Austria</option>
<option value="25">Belgium</option>

And then change the query to:

WHERE countryID = $id
Arbels
  • 201
  • 2
  • 6