I have my AJAX function working fine but when my x1 variable (string) contains & or ' it doesn´t work. Here´s my script:

function ajax (label,x1) {
    var http = new XMLHttpRequest();
    var url = 'ajax.php';
    switch (label) {
        case "msgs": var params = 'label=' + label + '&text=' + x1;
    }
    http.open('POST', url, true);
    http.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
    http.onreadystatechange = function() {
        if (this.readyState == 4 && this.status == 200) {
            mensagem = this.responseText;
        }
    };
    http.send(params);
}

ajax.php:

if ($_POST['label'] == "msgs") {
    $sql = "INSERT into msgs(iduser,text) values(?,?)";
    $st = $mysqli->prepare($sql);
    $st->bind_param('is',$_SESSION['id'],$_POST['text']);
    if ($st->execute() && $st->affected_rows > 0) {
        die("Success");
    }
    $st->close();
}

To avoid this problem I replaced all & with { but when showing the data and replacing all body { to & it replaced all { from JS functions. How can I save strings with & and ' in my DB? Thanks.