slaterino Posted August 18, 2008 Share Posted August 18, 2008 Hi, I have created an image gallery which works absolutely perfectly. Except when there's an apostrophe involved. This seems to break the syntax of the php and an error message gets spit out. I also have this problem on a page which shows data from a mysql table, where the apostrophe are displayed as question mark. This is the php from the gallery form. Is there anything simple that can be changed to allow for apostrophe's to be used? <?php if(isset($_POST['txtTitle'])) { $albumId = $_POST['cboAlbum']; $imgTitle = $_POST['txtTitle']; $imgDesc = $_POST['mtxDesc']; $imgDiv = $_POST['mtxDiv']; $imgEx = $_POST['mtxEx']; $images = uploadImage('fleImage', GALLERY_IMG_DIR); if ($images['image'] == '' && $images['thumbnail'] == '') { echo "Error uploading file"; exit; } $image = $images['image']; $thumbnail = $images['thumbnail']; if (!get_magic_quotes_gpc()) { $albumName = addslashes($albumName); $albumDesc = addslashes($albumDesc); $imgPath = addslashes($imgPath); } $sql = "INSERT INTO tbl_image (im_album_id, im_title, im_bloom, im_division, im_exhibit, im_image, im_thumbnail, im_date) VALUES ($albumId, '$imgTitle', '$imgDesc', '$imgDiv', '$imgEx', '$image', '$thumbnail', NOW())"; mysql_query($sql) or die('Error, add image failed : ' . mysql_error()); echo "<script>window.location.href='index.php?page=list-image&album=$albumId';</script>"; exit; } // get album list $sql = "SELECT al_id, al_name FROM tbl_album ORDER BY al_name"; $result = mysql_query($sql) or die('Error, get album list failed : ' . mysql_error()); $albumList = ''; $selectedAlbum = isset($_GET['album']) ? $_GET['album'] : ''; while ($row = mysql_fetch_assoc($result)) { $albumList .= '<option value="' . $row['al_id']. '"'; if ($row['al_id'] == $selectedAlbum) { $albumList .= ' selected'; } $albumList .= '>' . $row['al_name'] . '</option>'; } ?> Thanks!!! Russ Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted August 19, 2008 Share Posted August 19, 2008 Where are you having the problems? In the MySQL functions or displaying HTML? Ken Quote Link to comment Share on other sites More sharing options...
slaterino Posted August 19, 2008 Author Share Posted August 19, 2008 The problem is with the mysql. I should have put the error message up really. This is what I'm getting: "Error, add image failed : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's memory', 'Best Bloom', '3WY', 'Paul Payne', 'e0733779bfb0171293d9f951a22c390b.gif', '341bca9301804' at line 2" The first field in the form was typed in as Astrid's Memory. I'm therefore assuming that the apostrophe is breaking the syntax somehow. Would addslashes or htmlentities sort this problem out? If so, does anyone know how to use them or could just point me in the right direction? Cheers Russ Quote Link to comment Share on other sites More sharing options...
Mchl Posted August 19, 2008 Share Posted August 19, 2008 You should treat all $imgTitle, $imgDesc etc... variables with mysql_real_escape_string() before inserting them into query. Like this $imgTitle = mysql_real_escape_string($_POST['txtTitle']); Quote Link to comment Share on other sites More sharing options...
ILYAS415 Posted August 19, 2008 Share Posted August 19, 2008 Hi. Its SQL injection thats causing you the problems. Try using the mysql_real_escape_string function before you put something into a query or when. For example you could use... $variable= mysql_real_escape_string($string_variable_here); $check= mysql_query("SELECT * FROM table WHERE column='$variable'"); Quote Link to comment Share on other sites More sharing options...
slaterino Posted August 19, 2008 Author Share Posted August 19, 2008 Hey, That's done the trick! Thanks for the help! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.