stackoom
  简体   繁体   中英

mysql_real_escape_string not working

 原文  2011-01-21 14:23:10       php/ mysql/ mysql-real-escape-string

Question

My mysql_real_escape_string is being ignored. It's killing me, because I feel like it's something tiny that I'm missing.

The $htmlText variable comes from a TinyMCE editor where the text is rendered as HTML ie with tags etc. 

<?php 
    /*--------GLOBAL PROCEDURES--------*/
    session_start();
    require "../scr/config-data.php.inc";
    mysql_connect($host,$username,$password) or die 
    ("Could Not Connect".mysql_error());
    mysql_select_db($db) or die ("Could Not Connect".mysql_error());

    /*-----SEVERAL SELECT/INSERT QUERIES, ALL WORKING FINE-----*/

    /*--------SPECIFIC PROCEDURES-------*/      
    if($_POST['submit']){
        //Check that POS has been chosen
        $htmlText = mysql_real_escape_string($_POST['cust']);
        if($htmlText != ""){
            mysql_query("INSERT INTO table VALUES(NULL, '$htmlText' )") or die(mysql_error());
        }else{
            $feedback = "Please Enter some text into the editor";
        }
    }

    /*--------CLOSING PROCEDURES-------*/
    mysql_close();

?>

The strange thing is, it's been adapted from a script that works, only changing the variable names. I'm getting an Error in MySQL syntax. It's also not escaping the HTML in the text so I'm getting this error: 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order VALUES(NULL, '

sfgafgafs

')' at line 1

4 answers

solution1
 6 ACCPTED  2011-01-21 14:28:24

From the error message given by you it looks like you are using order as the table name which happens to be a MySQL reserved word .

Try enclosing it in back ticks.

solution2
 2  2011-01-21 14:28:30

mysql_real_escape_string will not escape any html. It only escapes \\x00, \\n, \\r, \\, ', " and \\x1a.

Your table's name should not be "order", because it is an SQL special word. You should rename it or make sure that you put it in backticks.

solution3
 2  2011-03-24 19:12:04

我也相信原因是由于表名是'order',因为mysql认为你试图在insert查询中使用order子句,将表名更改为其他名称。

solution4
 0  2011-01-21 14:27:58

Looks like your missing the Link Identifier?

string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question mysql_real_escape_string() not working in cakePHP mysql_real_escape_string not working? mysql_real_escape_string function not working mysql_real_escape_string is not working mysql_real_escape_string($value) not working mysql_real_escape_string not working on windows mysql_real_escape_string and ’ mysql_real_escape_string working perfectly in localhost, not working online mysql_real_escape_string does not escape " Why isn't mysql_real_escape_string working?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM