sql - URlencode with php dynamic drop downs -


i'm working try , establish "safe" dynamic form using php/jquery. trying figure out how encode query result in url, being able display query correctly in browser. ive tried wrapping urlencode around data in each of loops outputs encoded data , disables ability populate second drop down.

        <!-- populate first dropdown -->         <select id="first-choice" name="cardset">             <?php foreach ($data $row): ?>                 <option><?=htmlentities($row["name"])?></option>             <?php endforeach ?>         </select>  <br />         <!-- populate second dropdown -->         <select id="second-choice" name="card">             <option>please choose above</option>         </select>         <!-- jquery populate second , produce image -->         <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>         <script language=javascript >                 $(document).ready(function(){                     $("#first-choice").change(function() {                     $.get("getter.php", { choice: $(this).val() }, function(data) {                         $("#second-choice").html(data);                     });                 });                       $("#second-choice").change(function() {                     var first = $("#first-choice").val();                     var sec = $(this).val();                     $("#image-swap").attr("src", (first !== "" &&  + sec !== "") ? "pics/" + first + "/" + sec + ".jpg" : "");                     });                 });         </script> 

here getter.php file use populate second drop down using above jquery:

$choice = $_get['choice'];      $sth = $db->prepare("select code sets name='$choice'");     $sth->execute();     $choicecode = $sth->fetchcolumn();      $stmt = $db->prepare("select * cards code='$choicecode'");     $stmt->execute();     $data2 = $stmt->fetchall(); ?> <?php foreach ($data2 $row): ?>     <option><?=$row["cardname"]?></option> <?php endforeach ?> 

basically want encode data goes in drop downs because contain spaces , apostrophes. how can still while @ same time output them correctly?

urlencode should used when you're constructing query parameters in url. when you're putting text html, should use htmlentities. also, use id column value in options.

<?php foreach ($data $row): ?>     <option value="<?=$row["id"]?>"><?= htmlentities($row["name"]) ?></option> <?php endforeach ?> 

also, should use parametrized queries prevent sql injection , avoid other problems when constructing query if contains special characters:

$stmt = $db->prepare("select * cards                        code = (select code sets id = :id)"); $stmt->execute(array(':id' => $_get['choice'])); $data2 = $stmt->fetchall(); 

Comments

Popular posts from this blog

php - regexp cyrillic filename not matches -

c# - OpenXML hanging while writing elements -

sql - Select Query has unexpected multiple records (MS Access) -