Javascript to PHP via AJAX, HOW can I get a "%" to pass as parameter?

greetings  Ralph, ,  In using strings with punctuation or symbols in a GET or POST Value, you HAVE TO replace the punctuation and symbols that are NOT ALLOWED in a URL address, if I am doing a manual GET url string I use the JS encodeURIComponent( ) function to parse the text to acceptable URL characters like this -
var send2='img1=33&folder='+encodeURIComponent(fol)+'&gofor='+encodeURIComponent(g4d);

However in JQUERY it has mechanisms that automatically parse URL post and get addys, but you have to properly place the strings in their methods, usually in an object like -
{job:"SearchUsing", FormName: "form_TableSearch", tablename: "ModemConfiguration",
where_clause: "WHERE mc.wireless_no LIKE '%"+wireless_no+"%' AND "}

And I must suggest to you that it is a BAD practice to build any SQL query text in the browser javascript, this will make it so easy for most anyone to do SQL injections on the server,
you MUST at all times take double measures to insure that SQL injection on the server from a web post CAN NOT HAPPEN, if you have ever had this happen you will regret not Taking the time and effort to prevent SQL injection.

The percent sign has no special meaning, and goes through the request just fine.  There may be something wrong in the PHP logic.  You might want to see the request variables.  You can use var_dump() to print them out.

And I'm 100% with @slick812 on this: Do not build a query in an external client and transmit it to your server for execution.  The risk is that once someone sees your JavaScript they may decide to build a query and send it directly to your server.

The percent sign has no special meaning, and goes through the request just fine.

I have to disagree with you.  If the '%' in the string creates a valid 'percent encoded' value, then it will have special meaning.  The most common example is '%20' which will be translated to a ' ' (space) character.  Slick812 is correct about using JS encodeURIComponent( ) .  HTML forms encode the 'values' (but not the names) when form data is transmitted.  You can easily see this if you use method="get" on a simple form.

https://en.wikipedia.org/wiki/Percent-encoding

Thank you both for the wise words of caution.
This will always live entirely behind a corporate firewall and used by only one person.  Never non-corporate access.
Your concerns are noted and I will not do this kind of SQL access in javascript again.

Slick812, I don't follow this.  Can you please elaborate so I can follow?
However in JQUERY it has mechanisms that automatically parse URL post and get addys, but you have to properly place the strings in their methods, usually in an object like -
{job:"SearchUsing", FormName: "form_TableSearch", tablename: "ModemConfiguration",
where_clause: "WHERE mc.wireless_no LIKE '%"+wireless_no+"%' AND "}

I've used php_params constructed this way (never anything SQL-ish) from PHP to JS 20+ times before and everything has made it to PHP just fine through AJAX.

Showing environment in addition to first post (See image captions for clarity.):
Please see the PHP Capture.png then the DebugCapture
Sorry for the roundabout way to get the mouse-over data content in the attached image.

If I encodeURIComponent in JS, do I use urldecode in PHP?  I'll give it a try.

Thank you both!
PHP-Capture.PNG
DebugCapture.pdf

If I encodeURIComponent in JS, do I use urldecode in PHP?

If you are sending the data to a PHP page from JavaScript, it is normally automatically decoded.  You only need to use 'urldecode in PHP' if you are creating a link with a query string.

Hmmm.

What I had before attach-file failed:

Better SNIP this time.  Again, I've put echo-s in PHP to get a look at the data while in JS.

I'm using encodeURIComponent in JS now and urldecode in PHP and I get these results.
Better-Snip.PNG

Of course I can cheat and do a bait-n-switch with a different character...
Not a way to learn or solve a problem rightly though.

%32 = '2' when decoded.  You need to encodeURIComponent '%324%' which then becomes '%25324%25' because the '%' symbols are encoded.

Very odd.  "%" is an unwanted character!

Using encodeURIComponent in JS now and urldecode in PHP.

When I use %,  jQuery into a DIV before AJAX shows:

job=SearchUsing&FormName=form_TableSearch&tablename=ModemConfiguration&where_clause=WHERE%20mc.wireless_no%20LIKE%20'%25324%25'

Select allOpen in new window

which looks good, however in PHP, uncommenting my echo "<pre>".vardump($where_clause).</pre>";  I get:

string(32) " WHERE mc.wireless_no LIKE '24%'"

Select allOpen in new window

When I use #,  jQuery into a DIV before AJAX shows (NO other changes other then to xlate # to % in PHP):

job=SearchUsing&FormName=form_TableSearch&tablename=ModemConfiguration&where_clause=WHERE%20mc.wireless_no%20LIKE%20'%23324%23'

Select allOpen in new window

which looks great!  Back in PHP, uncommenting my echo "<pre>".vardump($where_clause).</pre>";  I get:

string(34) " WHERE mc.wireless_no LIKE '%324%'"

Select allOpen in new window

And the sky is blue!
Can I still be confused?

Thanks thanks thanks!
No "#" conversion, just "%"s!

I'll commit the decoding done in web server/before browser to memory.

-- -- --
For further educational enlightenment, for security, not complete by any means, but "always keep anything SQL out of JS and just pass values"?

For further educational enlightenment, for security, not complete by any means, but "always keep anything SQL out of JS and just pass values"?

Yes.  It has never occurred to me to pass SQL in a query string or even a POST string.  Just values.

Educational, persistent, collaborative, complete!

I was busy, so this is late, but just to show some URL conversions, this is the test inputs in a Form
  <input name="bumper" type="text" value="OK? Fran&Brad=happy 100%" />
  <input name="fender" type="text" value="joker! is > 1/2 sure, * to lander" />

and in the url as -

?bumper=OK%3F+Fran%26Brad%3Dhappy+100%25&fender=joker!+is+>+1%2F2+sure%2C+*+to+lander&up

Select allOpen in new window

and the text from the  PHP

echo 'this is BUMPER - '.$_GET["bumper"].'<br />this is FENDER - '.$_GET["fender"].'<hr>';

this is BUMPER - OK? Fran&Brad=happy 100%
this is FENDER - joker! is > 1/2 sure, * to lander

for reasons I do not know it does not change the  !  or the   >
it is the convention now to have all spaces as a   +  and not a   %20

it is the convention now to have all spaces as a   +  and not a   %20

I believe '+' is the original way and both are recognized as space.

Go to this URL:
http://iconoun.com/demo/ajax_client.php
Enter this in the input box:
Ray%20Baldwin

Like many things in application programming, assumptions abound and there are several layers of "truth" that need to be considered before an application is deployed into the wild!

Ray, I modified your page to include a form.  You can exercise this thru the submit button for the form or by clicking on your text.  It is interesting the differences you get.

<!DOCTYPE html>
<html dir="ltr" lang="en-US">
<head>
<meta charset="utf-8" />
<title>Percent Encoding Using HTML Form</title>
<script type="text/javascript" src="http://code.jquery.com/jquery-latest.min.js"></script>

<script>
$(document).ready(function(){
    $("#signal").click(function(){
        indata = $("#xinput").val();
        $.post("ajax_server.php", {myArg:indata}, function(response){
            $("#output p#target").html(response);
        });
    });
});
</script>

</head>
<body>
<form action="ajax_server.php" method="get">

<input name="xinput" id="xinput" value="Enter your name here" />
<input type="submit" name="submit" value="Submit" />

</form>
<div   id="signal">This is not a link, but Click Me Anyway!</div>
<div   id="output">
   <p  id="static">This element remains unchanged</p>
   <p  id="target">This element gets the AJAX response</p>
</div>

</body>
</html>

Select allOpen in new window