apostrophes in tinymce editor breaks the mysql query, how do I fix this?
+2
A:
You've got an SQL-injection problem in your server-side script. The problem is nothing to do with TinyMCE; a plain text field would expose the same issue.
This is a serious security problem. You need to SQL-string-literal-escape every piece of text you put into an SQL query. Better is to use parameterised queries, so that text values don't get directly added into queries.
How you do SQL escaping or parameterised queries depends on what server-side programming language you are using. (eg. for PHP see mysql_real_escape_string, mysqli_bind_param or PDOStatement->execute with parameters argument.)
bobince
2010-09-28 10:15:12
it should be ...mysql_real_escape_string *for strings and explicit type casting for numbers*...
Col. Shrapnel
2010-09-28 10:19:10
@bobince, thank you very much!!!
dany
2010-09-28 10:31:40
@Col. Shrapnel, thanka!
dany
2010-09-28 10:31:57
@dany are you sure you took it right? instead of **every** variable in the query should be places a `?` mark? Every one - not only one caused this problem? It will require another mysql library use.
Col. Shrapnel
2010-09-28 10:36:20
@Col. Shrapnel, yes the post was set to a variable `$post` and when the variable contained an apostrophe in the query, it would break the query example: `$post="it's mine"` , `myqsl_query("UPDATE table SET POST='$post'")`. apostrophes in `$post` conflicted with apostrophes in `mysql_query`
dany
2010-09-29 08:02:09
@dany I do understand your problem well. While you do not understand your problem at all. Not only $post must be escaped.
Col. Shrapnel
2010-09-29 08:47:19