insert error?

grlayouts · February 25, 2010

I have an in game chatr script which works great apart from one little thing. when a user uses like ' or ; or = or ) the script doesnt post the message in the database can anyone help?

<?php





if ($sc == "")

{

   diver ('Battle Of Species Global Game Talk');
   $sql3 = "UPDATE users SET gamechat=0 where id=$userid";

   mysql_query($sql3);

   echo '<center><BR>[<a href="index.php?cmd=chat&sc=chatadd">Add Post</a>]</center><BR><BR>';



   $sql = "SELECT id FROM comm2 WHERE parent=0 ORDER BY `time` DESC";

   $r = mysql_query($sql);

   while ($row = mysql_fetch_row($r)) 

   {

      echo '<table border="0"><tr><td>';

      showMessage($row[0], 0,$b);

      echo '</td></tr></table><BR><BR>';

   }





}else if ($sc =="chatadd")

{

   diver ('Enter Your Post Below');

   echo '<center>';

   echo '<form method="post" action="index.php?cmd=chat&sc=chatadd2">';

   echo '<input type="hidden" name="inPar" value="'.$inPar.'">';

   echo '<textarea rows="10" cols="45" name="inText" style="'.$boxStyle.'"></textarea><BR><BR><input type="submit" value="Post">';

   echo '</form></center>';

}else if ($sc == "chatadd2")

{

   diver ("Message Posted");

   $inText = clean($inText);

   $sql = "INSERT INTO comm2 (author,parent,time,post) VALUES ('{$userid}','{$inPar}','".time()."','{$inText}')";

   mysql_query($sql);
   
    $sql2 = "UPDATE users SET gamechat=1";

   mysql_query($sql2);

   echo '<BR><BR><center>You message has been posted!<BR>[<a href="index.php?cmd=chat">Back to Game Chat</a>]';

}





function showMessage($m, $l, $b)

{

   global $prefDate;

   echo '<table border="0" style="font-famile: Verdana; font-size: 12px" cellpadding="4"><tr>';

   for ($i = 0; $i < $l; $i++)

   {

      echo '<td> </td>';

   }

   echo '<td>';

   $sql = "SELECT `post`,`author`,`id`,`time` FROM `comm2` WHERE `id`='{$m}'";

   $r = mysql_query($sql); $row = mysql_fetch_row($r);

   $row[0] = '<B>'.getvalue($row[1],'handle').'</B><BR>'. $row[0];

   $row[0] .= '<BR>[<a href="index.php?cmd=chat&sc=chatadd&inPar='.$row[2].'">Reply</a>] [Posted: '. date($prefDate,$row[3]) .']';
   
   
   
   
   
   

   echo str_replace('

','<BR>',$row[0]);

   echo '</td></tr></table>';

   $sql = "SELECT id FROM comm2 WHERE parent={$m} ORDER BY time DESC";

   $r = mysql_query($sql);

   while ($row = mysql_fetch_row($r))

   {

      showMessage($row[0], $l + 1, $b);

   }

}

schilly · February 25, 2010

you need to escape your inputs.

$sql = sprintf("INSERT INTO comm2 (author,parent,time,post) VALUES ('%s','%s','".time()."','%s')",
mysql_real_escape_string($userid),
mysql_real_escape_string($inPar),
mysql_real_escape_string($inText));

Sign In

insert error?

Recommended Posts

grlayouts

Link to comment

Share on other sites

schilly

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information