I have CKEditor and want to send its data to the server in order to store it in MySQL. I am able to send source code (data) of CKEditor to the server with jQuery Ajax but when I try to execute my SQL query in order to store it in the database the insert command gives error. I think the main problem here is that CKEditor data contains new lines in it. How to solve this problem?
I have found this question similar to mine, but when I tried it and it didn't work for me. And I didn't understand what does mysql_prep function do, because it is not standard PHP function.
update 1
The code for the HTML form is following:
$("#save").click(function(){
var data = $( '#editor1' ).val(); 开发者_JS百科
$.ajax({
type:"POST",
url:"save.php",
data: "editor1="+data,
timeout:15000,
error:function(XMLHttpRequest, textStatus, errorThrown){
alert("ERROR");
},
success:function(response){
alert("Success: "+response);
}
});
})
And the save.php has following codes:
<?php
include '../config.php'; //connecting to DB
$title='news 1'; $author=1; $date="2011/08/08"; $categories='1,2,3';
$short_text=$_POST['editor1']; $full_text=$_POST['editor1'];
$sql=sprintf('insert into news values(null,"%s",%d,"%s","%s","%s","%s")',$title,$author,$date,$short_text,$full_text,$categories);
mysql_query($sql) or die("Error in $sql");
?>
Little bobby tables says that you are very vulnerable to SQL Injection. The simplest way to both mitigate SQL injection and fix any issues with newlines is to use prepared statements. At the very least you need to be escaping your input, which would also fix issues with newlines. You could use mysql_real_escape_string, except of course that was deprecated years ago, so for recent work you should at least be using the mysqli* functions (and then use prepared queries while you are at it).
-Use this
$short_text= htmlspecialchars($_POST['editor1']);
![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif)
加载中,请稍侯......
精彩评论