1

I am ajax'ing data to a Wordpress database and on success showing the text that was written to the database in a div so that people can see what was written

my code looks like this:

$.ajax({
       type: "POST",
       url: "<?php echo get_bloginfo('template_url').'/insert_comment.php';?>",
       data: dataString,
       cache: false,
       success: function(html){
    var returnedArray = html.split('|');
    var newhtml = $.trim(unescape(returnedArray[0]));
    $("#quote").fadeOut(200,function(){ 
                   $("#quote_cont").text(newhtml);
                   $("#quote span").text(returnedArray[1]) });
    $("#quote").fadeIn(200);
       }

So for example if the user writes the comment "I don't understand!!"

div #quote displays "I don\'t understand!!", yet when i view the database it was written without the "\".. and if i pull the content straight from the database using PHP i dont get the "\"

EDIT:

changed PHP file below is now CORRECT.. many thanks to @deceze for being patient with me, make sure that your mysql_real_escape_string() comes AFTER your database connection

<?php  $con = mysql_connect("localhost","root","root");
if (!$con)
{
    die('Could not connect: ' . mysql_error());
}
mysql_select_db("robomon_wbc", $con);
$order_id = mysql_real_escape_string($_POST['order_id']);
$email = mysql_real_escape_string($_POST['email']);
$name = mysql_real_escape_string($_POST['name']);

$comment = mysql_real_escape_string($_POST['comment']);
$comment = strip_tags($comment);
mysql_query("UPDATE wp_orderdata SET `comment`='".$comment."', `cus_name` = '".$name."' WHERE `order_id`='".$order_id."' AND `order_email`='".$email."';");
mysql_close($con);
echo $_POST['comment'].'|'.$_POST['name']; ?>
Improve this question
1
  • Show us the server-side code, what exactly is returned from the call and possibly at which point exactly the slashes are added to the string. I don't think this is an issue of needing to strip escapes, but rather a problem of handling the string correctly server-side to begin with. Commented Jan 16, 2012 at 3:37

2 Answers 2

Reset to default
2

Your code to insert the comment into the database is bad. It relies on Magic Quotes, which is the reason you're seeing slashes in the output values. Please read the aforelinked documentation about Magic Quotes, they're bad, deprecated and not recommended. Instead you need to SQL escape the values using mysql_real_escape_string or use a better MySQL interface to begin with which supports prepared statements, like MySQLi or PDO.

To summarize, the slashes are caused by Magic Quotes, which you could strip/disable on the server, but if you do so, you'll need to change your database code to avoid SQL injection vulnerabilities. You should change your database code anyway, since you're still vulnerable to SQL injection even with Magic Quotes.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

ok, thanks! i appreciate the note about security and have updated to include the mysql_real_escape_string around my variables that im handing to the query.. however this DOESNT fix the returned data from the AJAX operation still being escaped...
as i have no access to the php.ini file, added "php_flag magic_quotes_gpc Off" to the .htaccess file
Did that work? Output the raw $_POST array. Or read the manual section, which talks about different ways of disabling/stripping magic quotes.
disabling magic quotes just followed what they say.. the problem isnt from the insert_comment.php file im pretty sure its what happens to the string when it reaches the success section of the AJAX
Slashes don't just appear out of nowhere. Do some step by step debugging of where exactly they appear. Magic quotes are the most likely suspect.
|
0

This should work:

var newhtml = $.trim(unescape(html));
Improve this answer

3 Comments

this doesnt help unfortunately
Ok, I took your question to indicate that you wanted help with the javascript displaying backslashes.
yer not your fault mate.. i diagnosed the problem wrong.. it appeared to me to be coming from the JS, thank you though

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.