I'm using this update statement
$sql = "update questions set response = ?, `check` = ? where questionID = ? && starID = ?";
$qc = $pdo_conn->prepare($sql);
$qc->execute(array($_GET['response'], $_GET['check'], $_GET['questionID'], $_SESSION['starid']));
But when the response value has an & in it, like pop and r&b, it ends up in the database as pop and r.
also if there is a line break it takes out all of the spaces, like:
Bob
Jim
ends up in the database as BobJim
The response type in the database is varchar(10000)
here is the javascript code that gets the $_GET['response'] value
var html = '';
$(document).ready(function(){
$(".save_btn").live('click', function() {
$('.response').each(function(){
//alert($(this).attr('id'));
//alert($(this).val());
if ($(this).val() == '') {
html = $.ajax({
url: "response.php?questionID=" + $(this).attr('id') + "&response=" + $(this).val() + "&check=0",
async: false
}).responseText;
}
if ($(this).val() !== '') {
html = $.ajax({
url: "response.php?questionID=" + $(this).attr('id') + "&response=" + $(this).val($POST['response']) + "&check=1",
async: false
}).responseText;
}
});
alert(html);
location.reload();
});
})
this part of the if is the important part in this case:
if ($(this).val() !== '') {
html = $.ajax({
url: "response.php?questionID=" + $(this).attr('id') + "&response=" + $(this).val($POST['response']) + "&check=1",
async: false
}).responseText;
}
Any ideas on how to fix this?
You should encode your value for URL:
escape($(this).val())
The & has a special meaning in a URL, it is used as a separator between paramaters.