2 replies to this topic

[alirezan]

Hi guys

I have been trying to make a WYSIWYG editor that saves the HTML content into database.
The problem I run into is when I change fonts and add colors and everything, and try to insert/update the database I get the following error:

Quote

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Times New Roman'; font-style: normal; font-variant: normal; font-weight: normal;' at line 2

which basically means it can't parse ' which seems reasonable. I thought about replacing ' with \' in PHP but it didn't work. Do you guys know how I could fix this?

Any help is appreciated.

Thanks

[Alexander]

The single quote is significant to MySQL and must be escaped. The function addslashes, or specifically for MySQL the function mysql_real_escape_string() around the data should correct any issues with strings.

A simplistic example:

<?php
  $example =  mysql_real_escape_string("<font face='New Times Roman'></font>");
  mysql_query("SELECT foo FROM bar WHERE example = '$example'");

Note that this function requires an open database connection, which shouldn't be a problem in your code.

More can be read about it here:
PHP.NET - mysql_real_escape_string()

The reason why your code did not work is, \' will become ', you must use \\' to make \', but using the above functions will aid in creating valid escapes rather than a messy string replace.

[yesanded]

This is perfect. I had this exact same question, and your answer was the perfect solution.