Home/ Questions/Q 3755332
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T09:40:56+00:00

My mysql_real_escape_string is being ignored. It’s killing me, because I feel like it’s something

  • 0

My mysql_real_escape_string is being ignored. It’s killing me, because I feel like it’s something tiny that I’m missing.

The $htmlText variable comes from a TinyMCE editor where the text is rendered as HTML i.e. with tags etc.

<?php 
    /*--------GLOBAL PROCEDURES--------*/
    session_start();
    require "../scr/config-data.php.inc";
    mysql_connect($host,$username,$password) or die 
    ("Could Not Connect".mysql_error());
    mysql_select_db($db) or die ("Could Not Connect".mysql_error());

    /*-----SEVERAL SELECT/INSERT QUERIES, ALL WORKING FINE-----*/

    /*--------SPECIFIC PROCEDURES-------*/      
    if($_POST['submit']){
        //Check that POS has been chosen
        $htmlText = mysql_real_escape_string($_POST['cust']);
        if($htmlText != ""){
            mysql_query("INSERT INTO table VALUES(NULL, '$htmlText' )") or die(mysql_error());
        }else{
            $feedback = "Please Enter some text into the editor";
        }
    }

    /*--------CLOSING PROCEDURES-------*/
    mysql_close();

?>

The strange thing is, it’s been adapted from a script that works, only changing the variable names. I’m getting an Error in MySQL syntax. It’s also not escaping the HTML in the text so I’m getting this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'order VALUES(NULL, '

sfgafgafs

')' at line 1
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    From the error message given by you it looks like you are using order as the table name which happens to be a MySQL reserved word.

    Try enclosing it in back ticks.

    • 0