[SOLVED] Odd MySQL Entry Error

[MichaelWilson]

Ok so the deal is I have an inline content editor using NICEdit, really nice, and everything was on and off with bugginess until I fixed it a month ago or so.  Now just starting yesterday shortly after I started \n and \t ing my code so the output is cleaner, I am getting errors when I update the content.  It is an AJAX call so first it grabs the innerhtml, then sends it with:

 

function MakeRequest(jsTheContent, theAction){
  	var xmlHttp = getXMLHttp();

  	xmlHttp.onreadystatechange = function(){
    	if(xmlHttp.readyState == 4){
		//alert('finished calling');
      		HandleResponse(xmlHttp.responseText, theAction);
    	}
  	}
jsTheContent = escape(jsTheContent);
var queryString = "dataSent=" + jsTheContent + "&editpage=" + jsCurrentPage + "&editpagesub=" + jsCurrentSub + "&action=" + theAction;
  	xmlHttp.open("post", "php/updatecontent.php", true);
xmlHttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
  	xmlHttp.send(queryString);
}

function HandleResponse(response, whichArea){
alert('Content Updated');
if(whichArea == 'inline'){
	document.getElementById('mainInner').innerHTML = response;
}else if(whichArea == 'subnav'){
	document.getElementById('subInner').innerHTML = response;
}
}

 

And that seems to post the correct information (according to Firebug NET).  Then it received by my php update file, which grabs the post vars and sends them to update..

 

include('admin/mysql_connect.php');
session_start();
if($_SESSION['loggedin'] != 'true' || $_SESSION['access'] < 4){
header("Location: ../admin.php");
}
$action = $_POST['action'];
if($action == "inline"){
$response = $_POST['dataSent'];
$sentCurrentPage = $_POST['editpage'];
$sentCurrentSub = $_POST['editpagesub'];
if($sentCurrentSub != ""){
	$sql = "UPDATE c_maincontent SET 
	content = \"$response\"
	WHERE pages_id = \"$sentCurrentPage\" AND subpages_id = \"$sentCurrentSub\" ";
}else{
	$sql = "UPDATE c_maincontent SET 
	content = \"$response\"
	WHERE pages_id = \"$sentCurrentPage\" AND subpages_id = \"default\" ";
}
$result = mysql_query($sql) or die( mysql_error() );
if($sentCurrentSub != ""){
	$newQ = mysql_query ("SELECT * FROM c_maincontent WHERE pages_id = \"$sentCurrentPage\" AND subpages_id = \"$sentCurrentSub\" ");
}else{
	$newQ = mysql_query ("SELECT * FROM c_maincontent WHERE pages_id = \"$sentCurrentPage\" AND subpages_id = \"default\" ");
}

while($row = mysql_fetch_array($newQ)){
	$response2 = $row['content'];
}

echo $response2;

 

So now we get to what I'm having issues with.  When I hit save, the call is made and sent, then it is received by the javascript function HandleResponse, and the alert comes up, so the call is made and received, but when I hit ok to the alert, I get this error:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Arial, Helvetica, sans-serif" style="font-size:x-small;" />

 

I've checked each of my pages and it seems to occur at the first " (quote), and this error is being spit out by the

$result = mysql_query($sql) or die( mysql_error() );

because I tested the error in there as well.  Now, I don't think I changed anything at all yesterday that would change the formatting of what was sent via the ajax call or what was picked up by the update content field.  I have the escape function in the javascript as you can see, and that worked before, but now I don't know what is happening. 

 

If anyone has any ideas of how to improve this script with formatting the data for the URI, i'd greatly appreciate it.  This is my first time on this forum, and really the first time on any PHP forum, but I think I should start hanging out here because I really have a lot to learn. 

 

Thanks,

 

Michael Wilson

[Mchl]

Why don't you change \" to ' in your queries for start? It'll make them easier to read. Also use mysql_real_escape_string to avoid quotes breaking your queries (and, most importantly, a possibility of SQL injection)

[Carth]

Also use mysql_real_escape_string to avoid quotes breaking your queries (and, most importantly, a possibility of SQL injection)

And if you do that, make sure the horrible magic_quotes_gpc isn't on (you'd be surprised how many servers still use old versions of PHP set up like that)! Either disable it in your php.ini, or at the top of every script check get_magic_quotes_gpc() and call stripslashes() appropriately.

 

You don't want to escape your data twice.

[MichaelWilson]

@Mchl

 

That seemed to have fixed it, it's just really weird how I hadn't had that problem until it randomly appeared in the middle of the day yesterday! 

 

I really appreciate it!  (We were taught eff all at my college for security, and I'm pretty sure after working 2 months that I know more than my Advanced Programming Teacher).. such a ridiculous course.  So, since you're so helpful, I might as well tap you as much as I can if you are willing! 

 

I'm looking to get into OOP (I know I know, I'm sorry!) But really, have no idea where to start with that in PHP.  From there I'm going to hop into a framework (i've never used one before) so I need one that is pretty friendly, but I don't want to have to go from one to another just because the first one was easier but less 'power/functionality'.  So I was looking at Cake because of the strict MVC model, which is all the rave.  Is that what most people would recommend? Or do you find CI, Zend, or others significantly better?  I'm willing to sacrifice many night reading the entire docs.

 

Thanks!

 

ps.. @Carth - Well, right now I'm piggybacking on my friends Dreamhost account, but I think they are up to date.  Thanks for the information though.

[Mchl]

As far as OOP is concerned I'm pretty much a beginner. You should probably ask this question in our Application Frameworks section.