apostrophe - how do i stop it causing so many problems?

[slaterino]

Hi,

I have created an image gallery which works absolutely perfectly. Except when there's an apostrophe involved. This seems to break the syntax of the php and an error message gets spit out. I also have this problem on a page which shows data from a mysql table, where the apostrophe are displayed as question mark. This is the php from the gallery form. Is there anything simple that can be changed to allow for apostrophe's to be used?

 

<?php
if(isset($_POST['txtTitle']))
{
    $albumId   = $_POST['cboAlbum'];
    $imgTitle  = $_POST['txtTitle'];
    $imgDesc   = $_POST['mtxDesc'];
    $imgDiv    = $_POST['mtxDiv'];
    $imgEx    = $_POST['mtxEx'];

    $images    = uploadImage('fleImage', GALLERY_IMG_DIR);

    if ($images['image'] == '' && $images['thumbnail'] == '') {
        echo "Error uploading file";
        exit;
    }
   
    $image     = $images['image'];
    $thumbnail = $images['thumbnail'];
   
    if (!get_magic_quotes_gpc()) {
        $albumName  = addslashes($albumName);
        $albumDesc  = addslashes($albumDesc);
        $imgPath    = addslashes($imgPath);
    }  

    $sql = "INSERT INTO tbl_image (im_album_id, im_title, im_bloom, im_division, im_exhibit, im_image, im_thumbnail, im_date)
            VALUES ($albumId, '$imgTitle', '$imgDesc', '$imgDiv', '$imgEx', '$image', '$thumbnail', NOW())";

    mysql_query($sql) or die('Error, add image failed : ' . mysql_error());                    
   
    echo "<script>window.location.href='index.php?page=list-image&album=$albumId';</script>";
    exit;
}  

// get album list
$sql = "SELECT al_id, al_name
        FROM tbl_album
        ORDER BY al_name";
$result = mysql_query($sql) or die('Error, get album list failed : ' . mysql_error());                    

$albumList = '';
$selectedAlbum = isset($_GET['album']) ? $_GET['album'] : '';
while ($row = mysql_fetch_assoc($result)) {
    $albumList .= '<option value="' . $row['al_id']. '"';
   
    if ($row['al_id'] == $selectedAlbum) {
        $albumList .= ' selected';
    }
   
    $albumList .= '>' . $row['al_name'] . '</option>'; 
}   
?>

 

 

Thanks!!!

Russ

[kenrbnsn]

Where are you having the problems? In the MySQL functions or displaying HTML?

 

Ken

[slaterino]

The problem is with the mysql. I should have put the error message up really. This is what I'm getting:

 

"Error, add image failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's memory', 'Best Bloom', '3WY', 'Paul Payne', 'e0733779bfb0171293d9f951a22c390b.gif', '341bca9301804' at line 2"

 

The first field in the form was typed in as Astrid's Memory. I'm therefore assuming that the apostrophe is breaking the syntax somehow. Would addslashes or htmlentities sort this problem out? If so, does anyone know how to use them or could just point me in the right direction?

 

Cheers

Russ

[Mchl]

You should treat all $imgTitle, $imgDesc etc... variables with mysql_real_escape_string() before inserting them into query.

 

 

Like this

$imgTitle  = mysql_real_escape_string($_POST['txtTitle']);

[ILYAS415]

Hi. Its SQL injection thats causing you the problems.

Try using the mysql_real_escape_string function before you put something into a query or when.

 

For example you could use...

$variable= mysql_real_escape_string($string_variable_here);

$check= mysql_query("SELECT * FROM table WHERE column='$variable'");

[slaterino]

Hey,

That's done the trick! Thanks for the help!