grlayouts Posted February 25, 2010 Share Posted February 25, 2010 I have an in game chatr script which works great apart from one little thing. when a user uses like ' or ; or = or ) the script doesnt post the message in the database can anyone help? <?php if ($sc == "") { diver ('Battle Of Species Global Game Talk'); $sql3 = "UPDATE users SET gamechat=0 where id=$userid"; mysql_query($sql3); echo '<center><BR>[<a href="index.php?cmd=chat&sc=chatadd">Add Post</a>]</center><BR><BR>'; $sql = "SELECT id FROM comm2 WHERE parent=0 ORDER BY `time` DESC"; $r = mysql_query($sql); while ($row = mysql_fetch_row($r)) { echo '<table border="0"><tr><td>'; showMessage($row[0], 0,$b); echo '</td></tr></table><BR><BR>'; } }else if ($sc =="chatadd") { diver ('Enter Your Post Below'); echo '<center>'; echo '<form method="post" action="index.php?cmd=chat&sc=chatadd2">'; echo '<input type="hidden" name="inPar" value="'.$inPar.'">'; echo '<textarea rows="10" cols="45" name="inText" style="'.$boxStyle.'"></textarea><BR><BR><input type="submit" value="Post">'; echo '</form></center>'; }else if ($sc == "chatadd2") { diver ("Message Posted"); $inText = clean($inText); $sql = "INSERT INTO comm2 (author,parent,time,post) VALUES ('{$userid}','{$inPar}','".time()."','{$inText}')"; mysql_query($sql); $sql2 = "UPDATE users SET gamechat=1"; mysql_query($sql2); echo '<BR><BR><center>You message has been posted!<BR>[<a href="index.php?cmd=chat">Back to Game Chat</a>]'; } function showMessage($m, $l, $b) { global $prefDate; echo '<table border="0" style="font-famile: Verdana; font-size: 12px" cellpadding="4"><tr>'; for ($i = 0; $i < $l; $i++) { echo '<td> </td>'; } echo '<td>'; $sql = "SELECT `post`,`author`,`id`,`time` FROM `comm2` WHERE `id`='{$m}'"; $r = mysql_query($sql); $row = mysql_fetch_row($r); $row[0] = '<B>'.getvalue($row[1],'handle').'</B><BR>'. $row[0]; $row[0] .= '<BR>[<a href="index.php?cmd=chat&sc=chatadd&inPar='.$row[2].'">Reply</a>] [Posted: '. date($prefDate,$row[3]) .']'; echo str_replace(' ','<BR>',$row[0]); echo '</td></tr></table>'; $sql = "SELECT id FROM comm2 WHERE parent={$m} ORDER BY time DESC"; $r = mysql_query($sql); while ($row = mysql_fetch_row($r)) { showMessage($row[0], $l + 1, $b); } } Quote Link to comment Share on other sites More sharing options...
schilly Posted February 25, 2010 Share Posted February 25, 2010 you need to escape your inputs. $sql = sprintf("INSERT INTO comm2 (author,parent,time,post) VALUES ('%s','%s','".time()."','%s')", mysql_real_escape_string($userid), mysql_real_escape_string($inPar), mysql_real_escape_string($inText)); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.