PHP Post a mySQL Query Escaping problem!

[a1amattyj]

Hello,

 

Basically this script allows an admin to run a query via mysql database.. Simply input text box, php:

 

    $query1 = $_POST['query'];
    $query0 = str_replace('{$table}',$forumname,$query1);
    $result = mysql_query($query0);
    echo mysql_error();

 

Okay so say i run...

 

INSERT IGNORE INTO {$table}_smf_settings (`variable`,`value`) VALUES ('shopVersion', '3.0')

 

Some reason , the post it changing it into:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'shopVersion\', \'3.0\')' at line 1

 

Thanks!

 

[samshel]

Hi,

 

Check if "get_magic_quotes_gpc" is ON. If they are then single quotes and double quotes are escaped automatically

[a1amattyj]

Hi,

 

Check if "get_magic_quotes_gpc" is ON. If they are then single quotes and double quotes are escaped automatically

 

It probably is, but then say i just remove all the quotes and run :

 

INSERT INTO {$table}_smf_settings (variable,value) VALUES (shopVersion, 3.0)

 

 

Unknown column 'shopVersion' in 'field list'

 

The script does work, just created 10,000+ tables.

 

Any ideas?

[samshel]

Try this

 

$query1 = stripslashes($_POST['query']);
$query0 = str_replace('{$table}',$forumname,$query1);
$result = mysql_query($query0);
echo mysql_error();