On submit from textarea - mysql error

Question

I am using TinyMCE on my new site in english, that I am doing by myself (I am like a sunday programmer :) ). As before I was doing sites in my native language, I did not get this problem:

So... when i write in the textarea a word " don't " or " doesn't " the " ' " breaks the MySQL query and I get an error about MySQL syntax. Is there a way to go around this and allow " ' " to be saved in the database?

The code for edit page looks like this

<textarea rows="12" cols="50" height="200px" name="text" >
   <?php echo $row['text'];?>
</textarea>

And query

$sql="UPDATE works SET client='".$_POST["client"]."', description='".$_POST["description"]."', text='".$_POST["text"]."', image='".$_FILES["attels"]["name"]."' WHERE id=".$_GET['id']."";

And also, is there a way to remove <p> tag from The textarea, because tinymce automatically sets these

in front of every paragraph. But I don't need them.

Answer 1

You can clean up text that you are inserting into the database with the mysql_real_escape_string() function. This adds backslashes in front of the characters that can cause problems, such as the single quote.

$sql="UPDATE works SET client='".mysql_real_escape_string($_POST["client"])."', description='".mysql_real_escape_string($_POST["description"])."', text='".mysql_real_escape_string($_POST["text"])."', image='".mysql_real_escape_string($_FILES["attels"]["name"])."' WHERE id=".sprintf("%d", $_GET['id'])."";

Ideally you should also use sprintf() to guard against SQL injection.

Answer 2

you need to use

 mysql_escape_string

To clean your POST variable for use in the MySQL Query