tiny mce sql error when adding links

Question

I am using tiny mce with a script I built for uploading some content to a blog like system. Whenever I add a link via tiny mce I get this error. The field type in mysql for $content which is the one carrying the link is longblob if that helps.

here is the link error first and then my code

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'google test" href="http://www.google.ca" target="_blank">google est laborum' at line 4

/* GRAB FORM DATA */
 $title = $_POST['title'];
 $date = $_POST['date'];
 $content = $_POST['content'];
 $imageName1 = $_FILES["file"]["name"];
 $date = date("Y-m-d");

 $sql = "INSERT INTO blog (title,date,content,image)VALUES(
 \"$title\",
 \"$date\",
 \"$content\",
 \"$imageName1\"
 )";

 $results = mysql_query($sql)or die(mysql_error());

UPDATE: how would I go about doing the same mysql escape with sprintf when I am doing a UPDATE WITH A WHERE statement currently I am getting the error

Warning: sprintf() [function.sprintf]: Too few arguments in /home/akitson1/anderskitson.ca/admin/blogEdit.php  on line 88
Query was empty



$sql = sprintf("UPDATE blog SET WHERE id=$thisID (title,date,content,image)VALUES('%s','%s','%s','%s')",
                                mysql_real_escape_string($title),
                                mysql_real_escape_string($date),
                                mysql_real_escape_string($content));

Answer 1

escape your data. mysql_real_escape_string() is best, addslashes() at least...

mysql_real_escape_string and sprintf:

  $title = $_POST['title'];
     $date = $_POST['date']; // why do you assign this here, though? it's re-assigned again below?
     $content = $_POST['content'];
     $imageName1 = $_FILES["file"]["name"];
     $date = date("Y-m-d");

     $sql = sprintf("INSERT INTO blog (title,date,content,image)VALUES('%s','%s','%s','%s')",
              mysql_real_escape_string($title),
              mysql_real_escape_string($date),
              mysql_real_escape_string($content),
              mysql_real_escape_string($imageName1) );

     $results = mysql_query($sql)or die(mysql_error());

This has at least two benefits:

1. lets you put in the data you want
2. prevents users from entering sql that gets parsed with the query. Look up sql injection, it's important to keep in mind as you develop.

sprintf is nice because it keeps your statement clean and lets you do other cool things. Check it out.

The last thing is you'll need to un escape your data when you get it. So

$result = mysql_query("SELECT * FROM `blog`");
$row = mysql_fetch_assoc($result);
echo stripslashes($row['content']);

Re: your update:

Your SQL is malformed for an update. As for sprintf, its going to replace all the %s's ( or %d for digit.. whatever you use) with the provided vars (if you give it 4 %s's, you need to give it 4 arguments).

In the case of your update, you have 5. four %s (strings) and one %d (digit)

$sql = sprintf("UPDATE `blog` SET `title` = '%s', `date` = '%s', `content` = '%s', `image` = '%s' WHERE `id` = '%d'",
                                mysql_real_escape_string($title), // first %s gets replaced
                                mysql_real_escape_string($date), // second %s gets replaced
                                mysql_real_escape_string($content), // third %s gets replaced
                                mysql_real_escape_string($imageName1), // fourth %s gets replaced
                                $thisId ); //forced as digit (the %d), no need for escaping

Answer 2

Try using mysql_real_escape_string

$title = mysql_real_escape_string($_POST['title']);
$date = mysql_real_escape_string($_POST['date']);
$content = mysql_real_escape_string($_POST['content']);
$imageName1 = $_FILES["file"]["name"];
$date = date("Y-m-d");