2

My mysql_real_escape_string is being ignored. It's killing me, because I feel like it's something tiny that I'm missing.

The $htmlText variable comes from a TinyMCE editor where the text is rendered as HTML i.e. with tags etc.

<?php 
    /*--------GLOBAL PROCEDURES--------*/
    session_start();
    require "../scr/config-data.php.inc";
    mysql_connect($host,$username,$password) or die 
    ("Could Not Connect".mysql_error());
    mysql_select_db($db) or die ("Could Not Connect".mysql_error());

    /*-----SEVERAL SELECT/INSERT QUERIES, ALL WORKING FINE-----*/

    /*--------SPECIFIC PROCEDURES-------*/      
    if($_POST['submit']){
        //Check that POS has been chosen
        $htmlText = mysql_real_escape_string($_POST['cust']);
        if($htmlText != ""){
            mysql_query("INSERT INTO table VALUES(NULL, '$htmlText' )") or die(mysql_error());
        }else{
            $feedback = "Please Enter some text into the editor";
        }
    }

    /*--------CLOSING PROCEDURES-------*/
    mysql_close();

?>

The strange thing is, it's been adapted from a script that works, only changing the variable names. I'm getting an Error in MySQL syntax. It's also not escaping the HTML in the text so I'm getting this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order VALUES(NULL, '

sfgafgafs

')' at line 1
Improve this question
3
  • What error message do you get for what example input?
    – Gumbo
    Commented Jan 21, 2011 at 14:26
  • the above error message is given, but the particular field should be <p>sfgafgafs</p> when escaped, but it's rendering it as HTML
    – Dan Hanly
    Commented Jan 21, 2011 at 14:27
  • Is your table named "order" ? Try changing that to order (backticks)
    – labue
    Commented Jan 21, 2011 at 14:29

4 Answers 4

Reset to default
6

From the error message given by you it looks like you are using order as the table name which happens to be a MySQL reserved word.

Try enclosing it in back ticks.

Improve this answer
1
  • Thanks! I did this about a week ago with the word add... Didn't learn from my own mistakes by the looks of things, cheers!
    – Dan Hanly
    Commented Jan 21, 2011 at 14:31
2

mysql_real_escape_string will not escape any html. It only escapes \x00, \n, \r, \, ', " and \x1a.

Your table's name should not be "order", because it is an SQL special word. You should rename it or make sure that you put it in backticks.

Improve this answer
2
  • no, it's order but I changed it to table just for the example, to take it out of the context. But luckily, when I pasted my error message I'd left the word Order in, it's a reserved word :( thanks anyway!
    – Dan Hanly
    Commented Jan 21, 2011 at 14:31
  • 1
    table is also a reserved word BTW
    – Mchl
    Commented Jan 21, 2011 at 15:07
2

I too believe the reason is due to the table name being 'order', as mysql takes it like you are trying to use the order clause in an insert query, change the table name to something else..

Improve this answer
1
  • 3
    the accepted answer said that over 2 months ago. I backticked the table name and it worked. Thanks for the effort, but your a little late for this one
    – Dan Hanly
    Commented Mar 24, 2011 at 20:01
0

Looks like your missing the Link Identifier?

string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )

Improve this answer
2
  • You do know that the link identifier is optional right? "If link_identifier isn't defined, the last MySQL connection is used."
    – Viper_Sb
    Commented Jan 21, 2011 at 14:31
  • I thought it was required, next time ill just post comments so i dont lose any points!
    – Drewdin
    Commented Jan 21, 2011 at 14:45

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.