stublackett Posted July 28, 2008 Share Posted July 28, 2008 Hi Guys, I'm getting this error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's I assume that my Database is setup not to allow apostrophes The current Collation is set to : latin1_swedish_ci Link to comment https://forums.phpfreaks.com/topic/116987-sql-error-in-syntax/ Share on other sites More sharing options...
PFMaBiSmAd Posted July 28, 2008 Share Posted July 28, 2008 You would need to post your query to get specific help, but string data in a query needs to be enclosed in single-quotes and any special characters (like quotes) in data must be escaped. Link to comment https://forums.phpfreaks.com/topic/116987-sql-error-in-syntax/#findComment-601628 Share on other sites More sharing options...
stublackett Posted July 28, 2008 Author Share Posted July 28, 2008 My Code for SQL Insert is : // If all is ok, Insert into DB $sql = "INSERT INTO $db_table(title,location,day,month,year,description) values ('$title','$location','$day','$month','$year','$description')"; // Incase needed($result = mysql_query($sql ,$db)); ($result = mysql_query($sql ,$db) or die(mysql_error())); The main problem area seems to be the description box which is getting a fair bit of information The PHP Bit for that is Is it worth trying stripslashes ? <?php if (!empty($_POST['description'])) { $description = $_POST['description']; }else{ $description = NULL; $errors['description'] = '<p><font color="red">You need to enter a description for your event</font></p>'; } ?> Link to comment https://forums.phpfreaks.com/topic/116987-sql-error-in-syntax/#findComment-601630 Share on other sites More sharing options...
PFMaBiSmAd Posted July 28, 2008 Share Posted July 28, 2008 You need to use the mysql_real_escape_string() function on any data in a query that could contain special characters. This does two things, it prevents sql injection in external data and it prevents special characters in the data from breaking the query and causing a sql syntax error. Link to comment https://forums.phpfreaks.com/topic/116987-sql-error-in-syntax/#findComment-601639 Share on other sites More sharing options...
stublackett Posted July 28, 2008 Author Share Posted July 28, 2008 Sorry...... Where does that go? I assume that replaces the ($result = mysql_query($sql ,$db) or die(mysql_error())); ??? Link to comment https://forums.phpfreaks.com/topic/116987-sql-error-in-syntax/#findComment-601646 Share on other sites More sharing options...
PFMaBiSmAd Posted July 28, 2008 Share Posted July 28, 2008 There are code examples in the php manual for most php functions - http://php.net/mysql_real_escape_string Link to comment https://forums.phpfreaks.com/topic/116987-sql-error-in-syntax/#findComment-601650 Share on other sites More sharing options...
stublackett Posted July 28, 2008 Author Share Posted July 28, 2008 My code now looks like this : $sql = "INSERT INTO $db_table2(title, category, address, postcode, telephone, email, website, info, image1, image2) values ('$title','$category','$address','$postcode','$telephone','$email','$website','$info','$img1','$img2')"; mysql_real_escape_string($info) But its still complaining when an ' or another foreign character is entered, Are we sure that its not down to the Databases' Collation? Link to comment https://forums.phpfreaks.com/topic/116987-sql-error-in-syntax/#findComment-601663 Share on other sites More sharing options...
fenway Posted July 29, 2008 Share Posted July 29, 2008 Plesae echo $sql... and you need to escape your variables BEFORE preparing the statement. Link to comment https://forums.phpfreaks.com/topic/116987-sql-error-in-syntax/#findComment-602656 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.