$conn = $obj->dbconnect(); function array_map_callback($a) { global $conn; return mysqli_real_escape_string($conn, $a); } if (isset($_POST) && count($_POST)) { // whats the action ?? $action = $_POST['action']; unset($_POST['action']); if ($action == "save") { // remove 'action' key from array, we no longer need it // Never ever believe on end user, he could be a evil minded $escapedPost = array_map('array_map_callback', $_POST); $escapedPost = array_map('htmlentities', $escapedPost); $res = $obj->save($escapedPost); if ($res) { $escapedPost["success"] = "1"; $escapedPost["id"] = $res; echo json_encode($escapedPost); } else { echo $obj->error("save"); } } else { if ($action == "del") { $id = $_POST['rid']; $res = $obj->delete_record($id); if ($res) { echo json_encode(array("success" => "1", "id" => $id)); } else { echo $obj->error("delete");