[SOLVED] Apostrophe problem in simple php/MySQL CMS scripts.

[iainlang]

Hello.

 

[ BTW - After reading "Have you been helped here?" I've been looking for a "Donate" button but I can't find one that doesn't just take me back to the Home page. Can anyone point me to the right URL? ]

 

Now...

 

I wrote my own small, very simple, naive, CMS scripts to help small charities run their own database-driven website without further aid from anyone outside their organisaton.  I have about thirty now and all has been working well for about four years but one theatre Trust wants a  What's On  section (note the apostrophe - oddly enough, the first time any of "my" little charities thought to use one) and it seems that this forbids the creation of Sub-sections within any Section whose title contains an apostrophe.

I've listed my scripts below; can anyone tell me what the solution might be to the apostrophe problem, please?  I'm sort'v self-taught and am probably missing something stupid.

 

Thanx.

 

Iain.

 

 

 

 

include("php-lib/connect_inc.php");

$section_name=trim (strtolower($section_name));

$section_text=nl2br($section_text);

$TableName="sections";

$Query="INSERT INTO $TableName (section_id, section_name,

section_vis_name, section_heading, section_text, image_filename, title_text) VALUES ('$section_id', '$section_name', '$section_vis_name', '$section_heading', '$section_text', '$file_name', '$title_text')";

$Result=mysql_db_query ($DBName, $Query, $Link);

include("sec_add.php");

 

 

 

 

$TableName="images_sub_sections";

$TableName="sections";

include("php-lib/connect_inc.php");

$Query="SELECT section_name, section_vis_name FROM $TableName WHERE section_id='$section_id' ";

$Result=mysql_db_query ($DBName, $Query, $Link);

while ($Row=mysql_fetch_array ($Result))

{

$section_name=$Row[section_name];

$section_vis_name=$Row[section_vis_name];

}

$sub_section_name=trim(strtolower($sub_section_name));

$sub_section_text=nl2br($sub_section_text);

$TableName="sub_sections";

$Query="INSERT INTO $TableName (sub_section_id, section_name, section_vis_name, sub_section_name, sub_section_vis_name, sub_section_heading, sub_section_text, image_filename, title_text) VALUES ('$sub_section_id', '$section_name', '$section_vis_name', '$sub_section_name', '$sub_section_vis_name', '$sub_section_heading', '$sub_section_text', '$file_name', '$title_text')";

$Result=mysql_db_query ($DBName, $Query, $Link);

include("sub_sec_display_short.php");

 

[Daniel0]

Try running the name through mysql_real_escape_string() before inserting it into the database. Also, what errors are you getting?

 

[ BTW - After reading "Have you been helped here?" I've been looking for a "Donate" button but I can't find one that doesn't just take me back to the Home page. Can anyone point me to the right URL? ]

That page was lost after the old site was taken down. However, see this post.

[iainlang]

Thanx for your swift response.  Do you mean like -

 

include("php-lib/connect_inc.php");

$section_name=trim (strtolower($section_name));

$section_name=mysql_real_escape_string($section_name);

$section_text=nl2br($section_text);

$TableName="sections";

$Query="INSERT INTO $TableName (section_id, section_name,

section_vis_name, section_heading, section_text, image_filename, title_text) VALUES ('$section_id', '$section_name', '$section_vis_name', '$section_heading', '$section_text', '$file_name', '$title_text')";

$Result=mysql_db_query ($DBName, $Query, $Link);

include("sec_add.php");

 

'cos if that's it, it doesn't seem to work. 

 

I use HotDog and mysql and php functions are automatically coloured but this doesn't happen with the mysql_real_escape_string thing-y.  Sorry to be so thick.

 

Yoooors,

 

Iain.

 

[ I sent phpfreaks 10 sterling at the e-mail address donate@thewebfreaks.com - dunno what that comes to in dollars. ]

[iainlang]

Sorry - I should have answered your question.  The only error I get is that the Sub-section doesn't get inserted into the database table.

[Daniel0]

Try to add or die(mysql_error()); after the function executing the query.

[iainlang]

I've done -

 

include("php-lib/connect_inc.php");

$section_name=trim (strtolower($section_name));

$section_name=mysql_real_escape_string($section_name);  // <<----- ;

$section_text=nl2br($section_text);

$TableName="sections";

$Query="INSERT INTO $TableName (section_id, section_name,

section_vis_name, section_heading, section_text, image_filename, title_text) VALUES ('$section_id', '$section_name', '$section_vis_name', '$section_heading', '$section_text', '$file_name', '$title_text') ";

$Result=mysql_db_query ($DBName, $Query, $Link)  or die(mysql_error());  // <<----- ;

include("sec_add.php");

 

which seems to be accepted wihout question, and

 

$TableName="images_sub_sections";

$TableName="sections";

include("php-lib/connect_inc.php");

$Query="SELECT section_name, section_vis_name FROM $TableName WHERE section_id='$section_id' ";

$Result=mysql_db_query ($DBName, $Query, $Link);

while ($Row=mysql_fetch_array ($Result))

{

$section_name=$Row[section_name];

$section_vis_name=$Row[section_vis_name];

}

$sub_section_name=trim(strtolower($sub_section_name));

$sub_section_text=nl2br($sub_section_text);

$TableName="sub_sections";

$Query="INSERT INTO $TableName (sub_section_id, section_name, section_vis_name, sub_section_name, sub_section_vis_name, sub_section_heading, sub_section_text, image_filename, title_text) VALUES ('$sub_section_id', '$section_name', '$section_vis_name', '$sub_section_name', '$sub_section_vis_name', '$sub_section_heading', '$sub_section_text', '$file_name', '$title_text')";

print("$Query< br >");  // <<----- ;

$Result=mysql_db_query ($DBName, $Query, $Link) or die(mysql_error());  // <<----- ;

include("sub_sec_display_short.php");

 

which produces the line -

 

INSERT INTO sub_sections (sub_section_id, section_name, section_vis_name, sub_section_name, sub_section_vis_name, sub_section_heading, sub_section_text, image_filename, title_text) VALUES ('4000', 'whats_on', 'What's On', 'test_sub_section', 'Test Sub-section', 'Test Sub-section heading', 'Test Sub-section text.', '', '')

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's On', 'test_sub_section', 'Test Sub-section', 'Test Sub-section heading', 'Test' at line 1

 

Dunno if that makes any sense to you; it doesn't to me.

 

[Daniel0]

This:

 

INSERT INTO sub_sections (sub_section_id' date=' section_name, section_vis_name, sub_section_name, sub_section_vis_name, sub_section_heading, sub_section_text, image_filename, title_text) VALUES ('4000', 'whats_on', 'What's On', 'test_sub_section', 'Test Sub-section', 'Test Sub-section heading', 'Test Sub-section text.', '', '')

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's On', 'test_sub_section', 'Test Sub-section', 'Test Sub-section heading', 'Test' at line 1

 

is the problem. As you see, it's the $section_vis_name one that is the problem. You should run it (and all other values) through mysql_real_escape_string().

[iainlang]

Magic!    Abso-bally-lutely magic!  I think I'll start a Feast Day in your honour, name my seventeenth-born after you, raise a graven image, declare a Public Holiday, etc.

 

Dunno how you guys do it.

 

Big thanx.