stublackett Posted July 28, 2008 Share Posted July 28, 2008 Hi Guys, I'm getting this error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's I assume that my Database is setup not to allow apostrophes The current Collation is set to : latin1_swedish_ci Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted July 28, 2008 Share Posted July 28, 2008 You would need to post your query to get specific help, but string data in a query needs to be enclosed in single-quotes and any special characters (like quotes) in data must be escaped. Quote Link to comment Share on other sites More sharing options...
stublackett Posted July 28, 2008 Author Share Posted July 28, 2008 My Code for SQL Insert is : // If all is ok, Insert into DB $sql = "INSERT INTO $db_table(title,location,day,month,year,description) values ('$title','$location','$day','$month','$year','$description')"; // Incase needed($result = mysql_query($sql ,$db)); ($result = mysql_query($sql ,$db) or die(mysql_error())); The main problem area seems to be the description box which is getting a fair bit of information The PHP Bit for that is Is it worth trying stripslashes ? <?php if (!empty($_POST['description'])) { $description = $_POST['description']; }else{ $description = NULL; $errors['description'] = '<p><font color="red">You need to enter a description for your event</font></p>'; } ?> Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted July 28, 2008 Share Posted July 28, 2008 You need to use the mysql_real_escape_string() function on any data in a query that could contain special characters. This does two things, it prevents sql injection in external data and it prevents special characters in the data from breaking the query and causing a sql syntax error. Quote Link to comment Share on other sites More sharing options...
stublackett Posted July 28, 2008 Author Share Posted July 28, 2008 Sorry...... Where does that go? I assume that replaces the ($result = mysql_query($sql ,$db) or die(mysql_error())); ??? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted July 28, 2008 Share Posted July 28, 2008 There are code examples in the php manual for most php functions - http://php.net/mysql_real_escape_string Quote Link to comment Share on other sites More sharing options...
stublackett Posted July 28, 2008 Author Share Posted July 28, 2008 My code now looks like this : $sql = "INSERT INTO $db_table2(title, category, address, postcode, telephone, email, website, info, image1, image2) values ('$title','$category','$address','$postcode','$telephone','$email','$website','$info','$img1','$img2')"; mysql_real_escape_string($info) But its still complaining when an ' or another foreign character is entered, Are we sure that its not down to the Databases' Collation? Quote Link to comment Share on other sites More sharing options...
fenway Posted July 29, 2008 Share Posted July 29, 2008 Plesae echo $sql... and you need to escape your variables BEFORE preparing the statement. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.