Ckeditor only submits part of the content

Question

I'm using ajax to gather the ckeditor data to be submitted. The problem is only the content before the first apostrophe is being submitted to the database. What could I be doing wrong?

Edit:

$date = strtotime($formData['date']);
$article=mysql_real_escape_string($formData['article'],$DBconnect);

$DBconnect=mysql_connect($dbVals['host'],$dbVals['user'],$dbVals['pass']);

mysql_select_db($dbVals['db'], $DBconnect);
$SQLstring="INSERT INTO PressRelease (ip, tym, title, date, article) VALUES('${_SERVER['REMOTE_ADDR']}', ".time().",'${formData['title']}', '$date', '$article')";

I'm fairly new at this so if there is anything else you need to see in order to help let me know.

Answer 1

It sounds like you aren't escaping the text data before you insert it into the database. Use this function on the data before you pass it into your SQL query:

http://www.php.net/manual/en/function.mysql-real-escape-string.php

Edit: sorry, that's assuming you are using MySQL.

Answer 2

A different, more complicated, and arguably superior method to the one suggested by Mark, is using Parameterized Statements.

To borrow an example from Wikipedia:

<?php
$db = new mysqli("localhost", "user", "pass", "database");
$stmt = $db -> prepare("SELECT priv FROM testUsers WHERE username=? AND password=?");
$stmt -> bind_param("ss", $user, $pass);
$stmt -> execute();
?>

It leaves the escaping up to the MySQL driver, severely reducing the chance of SQL Injection and things like accidental double-escaping.

Note that this is not possible using the old MySQL functions. You need the Improved MySQLI functions/object, or something like PDO.

Answer 3

If I understand correctly the following is the case:

• You've got a textarea that's "taken over" by CKeditor
• You're reading the content of that textarea with Javascript
• You're sending the gathered content to the server with AJAX

If you alert() the content that Javascript gets from the textarea, you can see whether step 2 succeeds. If not, please post your Javascript.

If step 2 is correct, then maybe there's a problem server side, dump your db query to look at that.

Update: Make sure you when you're developing that you turn on all errors and notices. And if you're doing stuff which you can't "see" easily, like AJAX, make sure to keep an eye on your server's error log.

In your code example line 2 you use $DBconnect, and then in line 4 you define what that is. As you can see in the PHP.net entry for mysql_real_escape_string if the function cannot find a connection to the database the function generates an error and returns FALSE. The FALSE is put into your database and that's what goes into your database.

My advice to you is: try harder at debugging. Test all your assumptions, test the value of variables at every step, check if they have the value you expect them to have. Use var_dump(), print_r(), echo and die(). Or if you want something more advanced use a debugger (I don't).