Hi i have this simple code:

var datastring="123";
$.ajax({ 
        url: 'actualizarimagen.php',
        type: 'post',
        dataType: 'text',
        data: datastring,
        cache: false,
        success: function(response){
            $('.msg1').html(response);

         },
        error: function(response){
            $('.msg1').html(response);
         }

    });

And in actualizarimagen.php:

$desc_larga = print('<pre>') & print_R($_POST) & print('</pre>');
$insertSQL = sprintf("INSERT INTO prueba (texto) VALUES ($desc_larga)");

I get the success message, but in the database always saves 1. I tried changing everything, the dataType, the success, error, plete functions but it doesn't work. I was searching but any answers couldn't help me.

Thanks.

Edit: Added response

Hi i have this simple code:

var datastring="123";
$.ajax({ 
        url: 'actualizarimagen.php',
        type: 'post',
        dataType: 'text',
        data: datastring,
        cache: false,
        success: function(response){
            $('.msg1').html(response);

         },
        error: function(response){
            $('.msg1').html(response);
         }

    });

And in actualizarimagen.php:

$desc_larga = print('<pre>') & print_R($_POST) & print('</pre>');
$insertSQL = sprintf("INSERT INTO prueba (texto) VALUES ($desc_larga)");

I get the success message, but in the database always saves 1. I tried changing everything, the dataType, the success, error, plete functions but it doesn't work. I was searching but any answers couldn't help me.

Thanks.

Edit: Added response

• php
• javascript
• jquery
• mysql

• The datastring is just a value, shouldn't it be a key/value pair? How would $_POST contain the value if there's no key for it? Or what value would it contain if given only a key? Also, what does print_R() do when given an array of key/value pairs like $_POST? – David Commented May 17, 2012 at 16:37
• If you fix your input, then your output to the browser is vulnerable to XSS and your output to the database is vulnerable to SQL Injection. – Quentin Commented May 17, 2012 at 16:41
• How should i change it to stop the sql injection? with php or js? thanks – Jorge Bellido Commented May 17, 2012 at 16:46

7 Answers 7

Your datastring should contain data encoded as application/x-www-form-urlencoded

e.g.: var datastring="foo=123";

It is better not to pass a string to jQuery at all. Pass it an object and let it handle the encoding for you.

e.g.: data: { "foo": "123" }

data Object, String

Data to be sent to the server. It is converted to a query string, if not already a string. It's appended to the url for GET-requests. See processData option to prevent this automatic processing. Object must be Key/Value pairs. If value is an Array, jQuery serializes multiple values with same key based on the value of the traditional setting (described below).

You are just sending up 123 to the server.

It should be something like

var datastring="myField=123";

or

var datastring = {"myField" : 123 };

and with the PHP you would read it

$_POST["myField"]  

to send the data, there are format to be followed. Like

var datastring="var1=123&var2=abcd";

or

var datastring=[{name:'var1',value:123},{name:'var2',value:'abcd'}];

The second format (array of object name value) is like <input type="text" name="var1" value="123"> where html input element has name and value to be posted.

Then, you can get the value by :

$_POST['var1']  

or

$_POST['var2']  

An example to achieve this easily could be:

JS:

var datastring="123";

$.post('actualizarimagen.php', { datastring:datastring }, function(data){
     if(data != 0){
        $('.msg1').html('correcto');
     } else {
        $('.msg1').html('error');
     } 
});

In your actualizarimagen.php:

if($_POST() && isset($_POST['datastring'])){

/* Connect to DB */
$link = mysql_connect('server', 'user', 'pwd');
if (!$link) {
    // No connection
    print(0);
    exit();
}

$db = mysql_select_db('db', $link);
if (!$db) {
    // DB selection error
    print(0);
    exit();
}

/* Sanitize the value */
$datastring = mysql_real_escape_string($_POST['datastring']);

// I don't understand here what you tried to do with $dec_larga but this is what I thought
$desc_larga = "<pre>".$datastring."</pre>";

/* Insert to DB */
$sql = "INSERT INTO prueba (texto) VALUES ('$desc_larga')";

if(mysql_query($sql,$link)){
    // Everything is Ok at this point
    print(1);
} else {
    // Error happened in your SQL query
    print(0);
}

}

In the ajax call:

data: my_var : datastring,

in the php:

$desc_larga = '<pre>'.$_POST['my_var'].'</pre>';

try replacing

type: "post",

with

type: "POST",

and your datastring should be like this :

single=Single&multiple=Multiple&multiple=Multiple3&check=check2&radio=radio1

as explained here:

http://api.jquery./serialize/

var datastring = "123";
$.ajax({ 
   url: 'actualizarimagen.php',
   type: 'post',
   dataType: 'text',
   data: {data : datastring},
   cache: false
}).always(function(response) {
   $('.msg1').html(response);
});

And in actualizarimagen.php:

$desc_larga = '<pre>'.$_POST['data'].'</pre>';
$query =  '"INSERT INTO prueba (texto) VALUES ('.$desc_larga.')"';