Using tiny mce as rich text editor . Gives error when trying to add a code example as a blog post . Site uses php-mysql

I`m using tinymce for the textarea .The php code that adds the content to database is below:

mysql_select_db('rough_site');
if(($_POST['post_content'] != ''))
{
$current_date= date("Y-m-d");
//$content_of_post = stripslashes($_POST['post_content']);
$content_of_post=$_POST['post_content'];
//$post_title=$_POST['post_title'];
if(($_POST['post_title']) =='')
{
$post_title="Untitled".time();
}
$addpost = "INSERT into posts (user_name, post_title ,                 post_content,post_total,post_date)
VALUES ( '$_SESSION[user_name]' , '$post_title' , '$content_of_post', 0  ,                '$current_date') " ;
if(!$confirmpost)
{
echo "Problem adding your post . Please resubmit it . " ."<br/>" . mysql_error();
}

now if i try to add some php code as example it gives me error like this :

Problem adding your post . Please resubmit it . You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '/em>'); print $password . “ is the encrypted version of mypassword&' at line 2 .

What is wrong here ? Thankx!

example code I wanted to add :

<?php 
$password = crypt('mypassword'); 
print $password . “ is the encrypted version of mypassword”; 

?> 


<?php 
$password = crypt('mypassword' , 'd4'); 
print $password . " is the CRYPT_STD_DES version of mypassword<br>"; 
$password = crypt('mypassword' , 'k783d.y1g'); 
print $password . " is the CRYPT_EXT_DES version of mypassword<br>"; 
$password = crypt('mypassword' , '$1$d4juhy6d$'); 
print $password . " is the CRYPT_MD5 version o开发者_开发百科f mypassword<br>"; 
$password = crypt('mypassword' , '$2a$07$kiuhgfslerd...........$'); 
print $password . " is the CRYPT_BLOWFISH version of mypassword<br>"; 
?> 

---

You should use mysql_real_escape_string on the input you receive from form:

$content_of_post = mysql_real_escape_string($_POST['post_content']);

Also, your $post_title is not being set if you have $_POST['post_title'] set. This will also end up in an SQL error. Should be something like:

$post_title=(!empty($_POST['post_title']))?$_POST['post_title']:"Untitled".time();

Also, appending input data into sql query directly is a very bad practice. Consider using mysqli and prepared statemnts

---

I'm guessing that you need to escape your input before posting to the database. It looks like your query breaks at the first 'quote' which makes sense.

Since you're using the legacy mysql extension have a look at this page on the manual

So you would do something like this before assigning your $addpost variable:

$content_of_post = mysql_real_escape_string($content_of_post);

You should do that for all fields, by the way, to reduce the risk of mySQL injection attacks. Hope I'm right in guessing and that this helps.