My mysql_real_escape_string is being ignored. It's killing me, because I feel like it's something tiny that I'm missing.
The $htmlText variable comes from a TinyMCE editor where the text is rendered as HTML ie with tags etc.
<?php
/*--------GLOBAL PROCEDURES--------*/
session_start();
require "../scr/config-data.php.inc";
mysql_connect($host,$username,$password) or die
("Could Not Connect".mysql_error());
mysql_select_db($db) or die ("Could Not Connect".mysql_error());
/*-----SEVERAL SELECT/INSERT QUERIES, ALL WORKING FINE-----*/
/*--------SPECIFIC PROCEDURES-------*/
if($_POST['submit']){
//Check that POS has been chosen
$htmlText = mysql_real_escape_string($_POST['cust']);
if($htmlText != ""){
mysql_query("INSERT INTO table VALUES(NULL, '$htmlText' )") or die(mysql_error());
}else{
$feedback = "Please Enter some text into the editor";
}
}
/*--------CLOSING PROCEDURES-------*/
mysql_close();
?>
The strange thing is, it's been adapted from a script that works, only changing the variable names. I'm getting an Error in MySQL syntax. It's also not escaping the HTML in the text so I'm getting this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order VALUES(NULL, '
sfgafgafs
')' at line 1
From the error message given by you it looks like you are using order
as the table name which happens to be a MySQL reserved word .
Try enclosing it in back ticks.
mysql_real_escape_string will not escape any html. It only escapes \\x00, \\n, \\r, \\, ', " and \\x1a.
Your table's name should not be "order", because it is an SQL special word. You should rename it or make sure that you put it in backticks.
我也相信原因是由于表名是'order',因为mysql认为你试图在insert查询中使用order子句,将表名更改为其他名称。
Looks like your missing the Link Identifier?
string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.