stublackett Posted July 30, 2008 Share Posted July 30, 2008 Hi, I'm getting an SQL Syntax Error when inserting into a Database, I'm constantly having this problem on pieces of code i'm writing, So could do with a solution which will help me from now on I'm getting the SQL Syntax Error Couldn't UPDATE to database:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Messages'' WHERE gbID = '2002'' at line 1 - 'UPDATE bdGuest SET Confirmed='1',Message='Test's Messages'' WHERE gbID = '2002';' I'm assumit its something to do with the apostrophes in the Message field as anything without an apostrophe goes straight in Here is my code, How do I add addslashes or stripslashes to this line of code? <?php require_once("scripts/mysqlClass.php"); $guestDB = new dbHandler; if(@$_POST) { if(@$_POST['delete'] && $_POST['gbID']) { require_once("scripts/mysqlAdminClass.php"); $adminDB = new dbAdminHandler; $adminDB->connect(); $adminDB->start_delete("bdGuest"); $adminDB->where("gbID = '{$_POST['gbID']}'"); $adminDB->query(); $msg = "Item Deleted"; } if(@$_POST['add'] && $_POST['gbID']) { require_once("scripts/mysqlAdminClass.php"); $adminDB = new dbAdminHandler; $adminDB->connect(); $fields = Array("Confirmed","Message"); $values = Array("1",nl2br($_POST['Message'])); if(strlen($values[1] ) < 5) die("Message Too Short ".$values[1]. " " . $_POST['Message']); $adminDB->update("bdGuest",$fields,$values); $adminDB->where("gbID = '{$_POST['gbID']}'"); $adminDB->query(); $msg = "Item Added to Guestbook"; } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/117302-solved-stripslashes/ Share on other sites More sharing options...
JonnoTheDev Posted July 30, 2008 Share Posted July 30, 2008 $values = Array("1",addslashes(nl2br($_POST['Message']))); It may be better to modify your dbAdminHandler class to auto escape any values rather than you using the above method. Quote Link to comment https://forums.phpfreaks.com/topic/117302-solved-stripslashes/#findComment-603394 Share on other sites More sharing options...
monkeytooth Posted July 30, 2008 Share Posted July 30, 2008 me personally I do stripslashes.. but I add ereg_replace into it as well maybe as an over catious person I dunno.. I use ereg_replace to replace things like quotes double quotes less then more than etc.. with other things.. like [dblqte] [snglqte] etc.. and have it insert that way into my database.. then when needed to be called out of for display I use str_replace to find thigns like [dblqte] [snglqte] and replace them with what I had them orginally replaced with for display.. to me thats just keeps things cleaner a bit easier on my end with what I think may help prevent injection attacks.. as well as just generally with what I think may help keep my code from bunking out cause of an extra something generated on the user end.. Quote Link to comment https://forums.phpfreaks.com/topic/117302-solved-stripslashes/#findComment-603403 Share on other sites More sharing options...
stublackett Posted July 30, 2008 Author Share Posted July 30, 2008 $values = Array("1",addslashes(nl2br($_POST['Message']))); It may be better to modify your dbAdminHandler class to auto escape any values rather than you using the above method. Spot on cheers Neil! Quote Link to comment https://forums.phpfreaks.com/topic/117302-solved-stripslashes/#findComment-603411 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.