mysql_real_escape_string 不起作用
我的 mysql_real_escape_string 被忽略。这简直要了我的命,因为我觉得我错过了一些微小的东西。
$htmlText 变量来自 TinyMCE 编辑器,其中文本呈现为 HTML,即带有标签等。
<?php
/*--------GLOBAL PROCEDURES--------*/
session_start();
require "../scr/config-data.php.inc";
mysql_connect($host,$username,$password) or die
("Could Not Connect".mysql_error());
mysql_select_db($db) or die ("Could Not Connect".mysql_error());
/*-----SEVERAL SELECT/INSERT QUERIES, ALL WORKING FINE-----*/
/*--------SPECIFIC PROCEDURES-------*/
if($_POST['submit']){
//Check that POS has been chosen
$htmlText = mysql_real_escape_string($_POST['cust']);
if($htmlText != ""){
mysql_query("INSERT INTO table VALUES(NULL, '$htmlText' )") or die(mysql_error());
}else{
$feedback = "Please Enter some text into the editor";
}
}
/*--------CLOSING PROCEDURES-------*/
mysql_close();
?>
奇怪的是,它是根据一个有效的脚本改编的,只更改了变量名称。我收到 MySQL 语法错误。它也没有转义文本中的 HTML,所以我收到此错误:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order VALUES(NULL, '
sfgafgafs
')' at line 1
My mysql_real_escape_string is being ignored. It's killing me, because I feel like it's something tiny that I'm missing.
The $htmlText variable comes from a TinyMCE editor where the text is rendered as HTML i.e. with tags etc.
<?php
/*--------GLOBAL PROCEDURES--------*/
session_start();
require "../scr/config-data.php.inc";
mysql_connect($host,$username,$password) or die
("Could Not Connect".mysql_error());
mysql_select_db($db) or die ("Could Not Connect".mysql_error());
/*-----SEVERAL SELECT/INSERT QUERIES, ALL WORKING FINE-----*/
/*--------SPECIFIC PROCEDURES-------*/
if($_POST['submit']){
//Check that POS has been chosen
$htmlText = mysql_real_escape_string($_POST['cust']);
if($htmlText != ""){
mysql_query("INSERT INTO table VALUES(NULL, '$htmlText' )") or die(mysql_error());
}else{
$feedback = "Please Enter some text into the editor";
}
}
/*--------CLOSING PROCEDURES-------*/
mysql_close();
?>
The strange thing is, it's been adapted from a script that works, only changing the variable names. I'm getting an Error in MySQL syntax. It's also not escaping the HTML in the text so I'm getting this error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order VALUES(NULL, '
sfgafgafs
')' at line 1
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
从您给出的错误消息来看,您似乎正在使用
order作为表名,而表名恰好是 MySQL 保留字。尝试将其括在反引号中。
From the error message given by you it looks like you are using
orderas the table name which happens to be a MySQL reserved word.Try enclosing it in back ticks.
mysql_real_escape_string 不会转义任何 html。它只会转义 \x00、\n、\r、\、'、" 和 \x1a。
您的表名称不应该是“order”,因为它是一个 SQL 特殊词。您应该重命名它或确保将其放置在反引号中。
mysql_real_escape_string will not escape any html. It only escapes \x00, \n, \r, \, ', " and \x1a.
Your table's name should not be "order", because it is an SQL special word. You should rename it or make sure that you put it in backticks.
我也相信原因是由于表名是“order”,因为mysql认为你试图在插入查询中使用order子句,将表名更改为其他名称。
I too believe the reason is due to the table name being 'order', as mysql takes it like you are trying to use the order clause in an insert query, change the table name to something else..
看起来您缺少链接标识符?
字符串 mysql_real_escape_string ( 字符串 $unescaped_string [, 资源 $link_identifier ] )
Looks like your missing the Link Identifier?
string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )