sql - URlencode with php dynamic drop downs -
i'm working try , establish "safe" dynamic form using php/jquery. trying figure out how encode query result in url, being able display query correctly in browser. ive tried wrapping urlencode around data in each of loops outputs encoded data , disables ability populate second drop down.
<!-- populate first dropdown --> <select id="first-choice" name="cardset"> <?php foreach ($data $row): ?> <option><?=htmlentities($row["name"])?></option> <?php endforeach ?> </select> <br /> <!-- populate second dropdown --> <select id="second-choice" name="card"> <option>please choose above</option> </select> <!-- jquery populate second , produce image --> <script src="//ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script> <script language=javascript > $(document).ready(function(){ $("#first-choice").change(function() { $.get("getter.php", { choice: $(this).val() }, function(data) { $("#second-choice").html(data); }); }); $("#second-choice").change(function() { var first = $("#first-choice").val(); var sec = $(this).val(); $("#image-swap").attr("src", (first !== "" && + sec !== "") ? "pics/" + first + "/" + sec + ".jpg" : ""); }); }); </script>
here getter.php file use populate second drop down using above jquery:
$choice = $_get['choice']; $sth = $db->prepare("select code sets name='$choice'"); $sth->execute(); $choicecode = $sth->fetchcolumn(); $stmt = $db->prepare("select * cards code='$choicecode'"); $stmt->execute(); $data2 = $stmt->fetchall(); ?> <?php foreach ($data2 $row): ?> <option><?=$row["cardname"]?></option> <?php endforeach ?>
basically want encode data goes in drop downs because contain spaces , apostrophes. how can still while @ same time output them correctly?
urlencode
should used when you're constructing query parameters in url. when you're putting text html, should use htmlentities
. also, use id column value in options.
<?php foreach ($data $row): ?> <option value="<?=$row["id"]?>"><?= htmlentities($row["name"]) ?></option> <?php endforeach ?>
also, should use parametrized queries prevent sql injection , avoid other problems when constructing query if contains special characters:
$stmt = $db->prepare("select * cards code = (select code sets id = :id)"); $stmt->execute(array(':id' => $_get['choice'])); $data2 = $stmt->fetchall();
Comments
Post a Comment