SARUAV SARUAV - 3 months ago 8
MySQL Question

CKEditor Upload code snippet - SQL Error

I'm having trouble uploading code snippets from CKEditor. They are formatted fine, however when uploading to the database it views the text as code and stops once hitting an '$' variable.
This is the output from CKEditor for a code snippet



<pre>
<code class="language-php">
echo $hello
</code></pre>

<p>&nbsp;</p>





And this is whats used to post to the database



$date = date('Y-m-d') ."\n";
$now = time(); $utc_time = $now - intval(date('Z', $now));
$time = date('H:i:s', $now);

$name = $_POST['title'];
$subject = $_POST['subject'];

$forum_id = $_POST['forum_id'];
$post = $_POST['post'];


$user_id = $_SESSION['user']['user_id'];
$sql = "INSERT INTO threads (forum_id,user_id,name,post,time,date,subject) VALUES ('$forum_id','$user_id','$name','".$post."','$time','$date','$subject');";





And the error is:



( ! ) Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'echo $hello' in /storage/www/fsociety/newthread.php on line 72
( ! ) PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'echo $hello' at line 1 in /storage/www/fsociety/newthread.php on line 72




ddb ddb
Answer

Before saving, you should encode html like this

$post = mysql_real_escape_string($_POST['post']);