Javascript Fun (Escape function) & PHP

[Bes]

Hi,

I have a form field that is basically free text. I want to escape special chars in the content before throwing it over to php... This is because when the string hits PHP (via an AJAX POST), I explode the string into an array based on a special char or chars. I do this because depending on the page the user is on, I don't know how many strings I will be dealing with, so the AJAX post just slaps them all together into a big long string and posts them. (Doesn't make much sense, but trust me, it does the job!)

I am thinking escaping the string to hex chars, the afterwards, appending a single seperator (like a !), then throwing it over, meaning in theory the ! should hit php 'clear' (But it does not for some reason??), and then decoding it back to readable text for it to be presented to the user again.

Is there a better way of doing this, bearing in mind I probably want to do something on the PHP side as soon as the string is posted to stop nasty exploits happening? As this is an AJAX POST and it will NOT work with Javascript disabled, is browser- side enough?

This is the code I am using on the JS side (Note the unescape ("!") bit is crap and does nothing, but even without the unescape bit around it, I still see the ! go in as hex.

values="";
for (x=0; x<input.length; x++)
{
values=escape(values+$("input[name^=" + formTypes + x + "]").val());

if (i ==2)
{
values=values+unescape("!");
}

}

Thanks

 

[Bes]

One problem might be that I appear to be escaping the entire string each time.

values[i]="";
for (x=0; x<input.length; x++)
{
values[i]=values[i]+$("input[name^=" + formTypes[i] + x + "]").escape(val());

if (i ==2)
{
values[i]=values[i]+unescape("!");
}

}

Hence the next time around, the ! I added is escaped. Is the above code better?