The best way to handle quotes in data with database calls is to keep the SQL and data separate using a prepare statement for the SQL and a bind statement for the data - then there is no issue with the data containing quotes.
The problem is happening when a string containing a single quote gets passed into the URL used for the AJAX call. The call fails when the status doesn’t return 200. For example…
var ProductName = document.getElementById('ProductName').value; // Has a product name with a single quote for the value
// Function I created to make calls
ajax('mypage.asp?productname=' + ProductName);
If no single quotes are present then the call works as expected.
There are a number of reasons for using prepare statements. That they prevent injection is a side effect and not their purpose. That they keep the data separate from the SQL means that you don’t need to use mysqli_real_escape_string to escape those characters that are valid in the data but which would otherwise break the sql - in this case the quote.