mysql_real_escape_string not working
https://stackoverflow.com/questions/4759869
-
16-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
My mysql_real_escape_string is being ignored. It's killing me, because I feel like it's something tiny that I'm missing.
The $htmlText variable comes from a TinyMCE editor where the text is rendered as HTML i.e. with tags etc.
<?php
/*--------GLOBAL PROCEDURES--------*/
session_start();
require "../scr/config-data.php.inc";
mysql_connect($host,$username,$password) or die
("Could Not Connect".mysql_error());
mysql_select_db($db) or die ("Could Not Connect".mysql_error());
/*-----SEVERAL SELECT/INSERT QUERIES, ALL WORKING FINE-----*/
/*--------SPECIFIC PROCEDURES-------*/
if($_POST['submit']){
//Check that POS has been chosen
$htmlText = mysql_real_escape_string($_POST['cust']);
if($htmlText != ""){
mysql_query("INSERT INTO table VALUES(NULL, '$htmlText' )") or die(mysql_error());
}else{
$feedback = "Please Enter some text into the editor";
}
}
/*--------CLOSING PROCEDURES-------*/
mysql_close();
?>
The strange thing is, it's been adapted from a script that works, only changing the variable names. I'm getting an Error in MySQL syntax. It's also not escaping the HTML in the text so I'm getting this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order VALUES(NULL, '
sfgafgafs
')' at line 1
Solution
From the error message given by you it looks like you are using order as the table name which happens to be a MySQL reserved word.
Try enclosing it in back ticks.
OTHER TIPS
mysql_real_escape_string will not escape any html. It only escapes \x00, \n, \r, \, ', " and \x1a.
Your table's name should not be "order", because it is an SQL special word. You should rename it or make sure that you put it in backticks.
I too believe the reason is due to the table name being 'order', as mysql takes it like you are trying to use the order clause in an insert query, change the table name to something else..
Looks like your missing the Link Identifier?
string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )
