0
I have a tire brand registration form, in one of the input fields where I inform the model of the tires, I need to pass the + example sign (ecoplus+). I take the values of the fields through a Javascript function, and step for php to perform the insertion of this data in the BD, but this saving only the writing(ecoplus)and the + sign not saved in the BD table. I need to create a tactic to save the description and signal +.
Javascript function
function executafuncao(id) {
if (id == "save") {
var cdmodelo = document.getElementById('cd_modelo').value;
var nome = document.getElementById('txtnome').value;
var cdmarca = document.getElementById('marca').value;
var status = document.getElementById('ativo').value;
if (nome != '') {
nome = nome.replace("'", "");
}
if (nome == "") {
alert('Informe a descri\u00e7\u00e3o do modelo!');
document.getElementById('txtnome').focus();
} else if (cdmarca == 0) {
alert('Selecione a marca!');
document.getElementById('marca').focus();
} else {
if (cdmodelo == '') {
Tipo = "I"
} else {
Tipo = "A";
}
window.open('cadastros/modelopneu/acao.php?Tipo=' + Tipo + '&codigo=' + cdmodelo + '&nome=' + nome + '&cdmarca=' + cdmarca + '&status=' + status, "acao");
}
}
}
//Codigo php que insere no BD
$insert = "INSERT INTO pneu_modelos (ds_modelo, cd_marca, cd_usercadastro)
VALUES (UPPER('".$nome."'), ".$cdmarca.", ".$_SESSION["CD_USUARIO"].")
RETURNING cd_modelo";
$rss_insert = pg_query($conexao, $insert);
while ($linha = pg_fetch_row($rss_insert)) { $nr_modelo = $linha[0]; }
if($nr_modelo!=''){
echo "<script language='JavaScript'>
alert('Modelo cadastrado com sucesso!');
window.parent.executafuncao('new');
window.parent.consultar(0);
</script>";
} else {
echo "<script language='JavaScript'>alert('Problemas ao gravar!');</script>";
}
}
}
See this question How to prevent SQL code injection into my PHP code?.
– Augusto Vasques