开发者

mysql_real_escape_string not working

问答 作者:

My mysql_real_escape_string is being ignored. It's killing me, because I 开发者_运维百科feel like it's something tiny that I'm missing.

The $htmlText variable comes from a TinyMCE editor where the text is rendered as HTML i.e. with tags etc.

<?php 
    /*--------GLOBAL PROCEDURES--------*/
    session_start();
    require "../scr/config-data.php.inc";
    mysql_connect($host,$username,$password) or die 
    ("Could Not Connect".mysql_error());
    mysql_select_db($db) or die ("Could Not Connect".mysql_error());

    /*-----SEVERAL SELECT/INSERT QUERIES, ALL WORKING FINE-----*/

    /*--------SPECIFIC PROCEDURES-------*/      
    if($_POST['submit']){
        //Check that POS has been chosen
        $htmlText = mysql_real_escape_string($_POST['cust']);
        if($htmlText != ""){
            mysql_query("INSERT INTO table VALUES(NULL, '$htmlText' )") or die(mysql_error());
        }else{
            $feedback = "Please Enter some text into the editor";
        }
    }

    /*--------CLOSING PROCEDURES-------*/
    mysql_close();

?>

The strange thing is, it's been adapted from a script that works, only changing the variable names. I'm getting an Error in MySQL syntax. It's also not escaping the HTML in the text so I'm getting this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order VALUES(NULL, '

sfgafgafs

')' at line 1

From the error message given by you it looks like you are using order as the table name which happens to be a MySQL reserved word.

Try enclosing it in back ticks.

mysql_real_escape_string will not escape any html. It only escapes \x00, \n, \r, \, ', " and \x1a.

Your table's name should not be "order", because it is an SQL special word. You should rename it or make sure that you put it in backticks.

I too believe the reason is due to the table name being 'order', as mysql takes it like you are trying to use the order clause in an insert query, change the table name to something else..

Looks like your missing the Link Identifier?

string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )

继续阅读:mysql-real-escape-stringphp

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9