HTML won't insert and not giving an error

[adamjones]

Hi,

 

I have a text area field on one of my forms in order for people to post articles, however, it doesn't work when I try and post HTML through it. It works if I post normal text. Also, PHP won't give me an error, it just doesn't insert it?

<?php

if ($_POST['add']) {
    $title   = addslashes($_POST['title']);
    $image   = htmlspecialchars($_POST['image']);
	$source   = mysql_real_escape_string($_POST['source']);
    $active  = $_POST['active'];
	$feature  = $_POST['feature'];
    $cat_id  = $_POST['cat_id'];
	$content = htmlspecialchars($_POST['content']);
    $months  = array(
        "",
        "January",
        "February",
        "March",
        "April",
        "May",
        "June",
        "July",
        "August",
        "September",
        "October",
        "November",
        "December"
    );
    $date    = date('d', time()) . ' ' . $months[date('n', time())] . ' ' . date('Y', time());
    if ($title == NULL || $image == NULL || $content == NULL) {
        echo '<br /><br /><center>Please, fill all inputs</center><br /><br />';
    } else {
        $add = "INSERT INTO `news` cat_id='$cat_id', title='$title', image='$image', content='$content', date='$date', author='".$user['admin']."', authorid='".$user['id']."', source='$source', active='$active', twitter='".$user['twitter']."', featured='$feature'" or die(mysql_error());
        $sql = mysql_query($add);
        $addgrowl = "INSERT INTO `growl` (toid, message) VALUES ('$id', 'Your article is now online!')";
        $sql = mysql_query($addgrowl);    
            echo '<script type="text/javascript">
window.location = "articles.php"
</script>
';
}
}
?>

Help :-(

[Jacques1]

None of this makes a lot of sense.

• The first INSERT query isn't valid SQL syntax. I'm not even sure what you're trying to do there. Did you mix up the syntax of UPDATE and INSERT? Did you want to use the special INSERT INTO ... SET ... syntax provided by MySQL?
• The query is wide open to SQL injections. You're randomly applying three different escaping functions to some of the values, but you don't seem to understand what they do and when to use them.
• You're applying or die(mysql_error()) to a string?
• Do you really want the whole world to see your database errors?
• The mysql_* functions are obsolete since more than 10 years, they're deprecated since PHP 5.5, and they will be removed in one of the next PHP versions. It's about time to switch.
• The center element is obsolete since HTML 4. That was back in 1997!
• A redirect with JavaScript? Why not an actual HTTP redirect with the header() function?
• This date() thing is odd. I think what you actually want is date('d F Y').