jrws Posted April 25, 2009 Share Posted April 25, 2009 Hey there, I thought I had sufficent protection from crashes, but evidently not, When I edit news, wich is a simple UPDATE query I get the error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'etty princess )rnseernitrndoesrnitrnwhenrnirntryrntornwriternlikernthis.' WHER' at line 1 etc However I have protected the input by using this function: <?php function clean($string) { if (get_magic_quotes_gpc()) { $string = stripslashes($string); } elseif (!get_magic_quotes_gpc()) { $string = addslashes(trim($string)); } $string = trim($string); //$string = escapeshellcmd($string);//Uncomment if the website uploading to allows this. $string = mysql_real_escape_string($string); $string = stripslashes(strip_tags(htmlspecialchars($string))); return $string; }?> So, why am I returning an error? Do you want to/need to see the edit page? EDIT: I was wanting to know why it doesn't escape from the entered data, I have made sure I sercured it.. Quote Link to comment https://forums.phpfreaks.com/topic/155605-solved-sql-error/ Share on other sites More sharing options...
Mchl Posted April 25, 2009 Share Posted April 25, 2009 $string = stripslashes(strip_tags(htmlspecialchars($string))); you're removing the slashes you just inserted... Quote Link to comment https://forums.phpfreaks.com/topic/155605-solved-sql-error/#findComment-818942 Share on other sites More sharing options...
PFMaBiSmAd Posted April 25, 2009 Share Posted April 25, 2009 Someone else (*** see note below) posted that code in this forum not too long ago and I pointed out all the problems in it and posted corrected code - http://www.phpfreaks.com/forums/index.php/topic,248314.msg1162551.html#msg1162551 Wherever you got that code from, some hacker probably posted it so that he could break into your site/database. I hope you did need to supply any identifying information at the site where you got that from that leads back to your domain. *** Edit: And in looking up that previous link, it turns out it was jrws who previously posted the same code. If you are not going to use the help you get, bad code will always be bad code. Quote Link to comment https://forums.phpfreaks.com/topic/155605-solved-sql-error/#findComment-819059 Share on other sites More sharing options...
jrws Posted April 30, 2009 Author Share Posted April 30, 2009 Doh, thanks I just realized. What I had done was changed the advised code from you into my LOCALHOST, instead of putting onto the live site. Thanks for point it out. Quote Link to comment https://forums.phpfreaks.com/topic/155605-solved-sql-error/#findComment-822428 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.