tags:

views:

12

answers:

2

I am using tiny mce with a script I built for uploading some content to a blog like system. Whenever I add a link via tiny mce I get this error. The field type in mysql for $content which is the one carrying the link is longblob if that helps.

here is the link error first and then my code

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'google test" href="http://www.google.ca" target="_blank">google est laborum' at line 4

/* GRAB FORM DATA */
 $title = $_POST['title'];
 $date = $_POST['date'];
 $content = $_POST['content'];
 $imageName1 = $_FILES["file"]["name"];
 $date = date("Y-m-d");

 $sql = "INSERT INTO blog (title,date,content,image)VALUES(
 \"$title\",
 \"$date\",
 \"$content\",
 \"$imageName1\"
 )";

 $results = mysql_query($sql)or die(mysql_error());

UPDATE: how would I go about doing the same mysql escape with sprintf when I am doing a UPDATE WITH A WHERE statement currently I am getting the error

Warning: sprintf() [function.sprintf]: Too few arguments in /home/akitson1/anderskitson.ca/admin/blogEdit.php  on line 88
Query was empty



$sql = sprintf("UPDATE blog SET WHERE id=$thisID (title,date,content,image)VALUES('%s','%s','%s','%s')",
                                mysql_real_escape_string($title),
                                mysql_real_escape_string($date),
                                mysql_real_escape_string($content));
+2  A: 

escape your data. mysql_real_escape_string() is best, addslashes() at least...

mysql_real_escape_string and sprintf:

  $title = $_POST['title'];
     $date = $_POST['date']; // why do you assign this here, though? it's re-assigned again below?
     $content = $_POST['content'];
     $imageName1 = $_FILES["file"]["name"];
     $date = date("Y-m-d");

     $sql = sprintf("INSERT INTO blog (title,date,content,image)VALUES('%s','%s','%s','%s')",
              mysql_real_escape_string($title),
              mysql_real_escape_string($date),
              mysql_real_escape_string($content),
              mysql_real_escape_string($imageName1) );

     $results = mysql_query($sql)or die(mysql_error());

This has at least two benefits:

  1. lets you put in the data you want
  2. prevents users from entering sql that gets parsed with the query. Look up sql injection, it's important to keep in mind as you develop.

sprintf is nice because it keeps your statement clean and lets you do other cool things. Check it out.

The last thing is you'll need to un escape your data when you get it. So

$result = mysql_query("SELECT * FROM `blog`");
$row = mysql_fetch_assoc($result);
echo stripslashes($row['content']);

Re: your update:

Your SQL is malformed for an update. As for sprintf, its going to replace all the %s's ( or %d for digit.. whatever you use) with the provided vars (if you give it 4 %s's, you need to give it 4 arguments).

In the case of your update, you have 5. four %s (strings) and one %d (digit)

$sql = sprintf("UPDATE `blog` SET `title` = '%s', `date` = '%s', `content` = '%s', `image` = '%s' WHERE `id` = '%d'",
                                mysql_real_escape_string($title), // first %s gets replaced
                                mysql_real_escape_string($date), // second %s gets replaced
                                mysql_real_escape_string($content), // third %s gets replaced
                                mysql_real_escape_string($imageName1), // fourth %s gets replaced
                                $thisId ); //forced as digit (the %d), no need for escaping
Dan Heberden
Thanks for this, it is working perfectly now, and thanks for the tips on sql injection, i dont know when I will use sprintf since I am still new to php, but i think one day I will be happy i started using it.
Anders Kitson
I just added a update with a new error I am getting if you could help me again that would be awesome.
Anders Kitson
see updated answer.
Dan Heberden
i am getting this error Unknown column '16' in 'where clause'
Anders Kitson
Sounds like your where is WHERE %d instead of WHERE id = %d. Too, just to clarify, field names are in backticks (the same as tilde key, left of #1) and field data goes in single/double quotes (in this case single).
Dan Heberden
I had WHERE `id` = `%d` instead of '%d'
Anders Kitson
A: 

Try using mysql_real_escape_string

$title = mysql_real_escape_string($_POST['title']);
$date = mysql_real_escape_string($_POST['date']);
$content = mysql_real_escape_string($_POST['content']);
$imageName1 = $_FILES["file"]["name"];
$date = date("Y-m-d");
Jack