First character of a string fusionning with a %

Question

So i'm sending a String with javascript to a php page :

if(cp.value!=''){
    s+=cp.name +" LIKE '%"+ cp.value +"%'";
    console.log(s);

    if(sec.value!=''){
        s+=" AND "+sec.name+" LIKE '%"+ sec.value +"%'";
        console.log(s);

    }
}
else{
    if(sec.value!=''){disappear
        s+=sec.name+" LIKE '%"+ sec.value +"%'";
    }
}

console.log(s);
if(s.length!=0){
    var connect = new XMLHttpRequest();
    connect.onreadystatechange=function(){
        if (connect.readyState==4 && connect.status==200){
            var resu=connect.responseText;
            console.log(resu);
            var tab=document.getElementById("main_tab");
            tab.innerHTML=resu;


        }
    };
    connect.open("POST","../../Controller/stage.php",false);
    connect.setRequestHeader('Content-Type','application/x-www-form-urlencoded');
    connect.send("s="+s);

}

}

The string sent is for exemple :

CP_Stage LIKE '%90%' AND secteur_stage LIKE '%ait%'

But when i print the request in the php page i have something like :

SELECT * FROM Stage WHERE CP_Stage LIKE ' %' AND secteur_stage LIKE '%ait%';

i have no idea why my first number disappear with the first %. If anyone have an idea it would be awesome, thanks !

Answer 1

The percent-sign is a special charcter. Any special characters like %,&,? etc need to be encoded. Your "%90" is converted to an Ascii-Value. You have to encode these values with encodeURIComponent.

s += cp.name + " LIKE '" + encodeURIComponent("%" + cp.value + "%") + "'";

Note that encodeURIComponent does not escape the ' character. If your cp.value has an ' you have to replace it with its encoding value: %27 .

By the way.. its a bad idea to send mySQL-queries from client-side - thats a major security flaw. Send only the values and build your queries on server-side.