TeddyKiller Posted April 3, 2010 Share Posted April 3, 2010 My PHP is below. Basically, whenever I use an ' in a message or whatever, it brings up an SQL syntax error. EG: Notice: You have an error in your SQL syntax; check the manualthat corresponds to your MySQL server version for the right syntax touse near 's me', 'testing it's me', '1270259346')' at line 2 in /home/jeanie/public_html/mail.php on line 400 if(isset($_POST['send'])) { if(empty($_POST['message']) || empty($_POST['to'])){ $error = '<span style=\"color:#E11919;\">You have left empty fields!</span><br />'; } if(!$error){ $to = $_POST['to']; $from = $user->id; $subject = stripslashes($_POST['subject']); $message = stripslashes($_POST['message']); $date = time(); $query = mysql_query("INSERT INTO `sent_messages` (to_id, from_id, subject, message, date) VALUES ('$to', '$from', '$subject', '$message', '$date')") or trigger_error(mysql_error()); echo "<span style=\"color:#E11919;\">Your message has been sent</span><br />"; } echo $error; } How can I fix this? Link to comment https://forums.phpfreaks.com/topic/197434-sql-syntax-error-single-quotes/ Share on other sites More sharing options...
trq Posted April 3, 2010 Share Posted April 3, 2010 You need to escape all user submitted data for bad chars. See mysql_real_escape_string. Link to comment https://forums.phpfreaks.com/topic/197434-sql-syntax-error-single-quotes/#findComment-1036242 Share on other sites More sharing options...
TeddyKiller Posted April 3, 2010 Author Share Posted April 3, 2010 Ah, I tried.. stripslashes(mysql_real_escape_string()) Though it had to be the other way round... d'oh. thanks Link to comment https://forums.phpfreaks.com/topic/197434-sql-syntax-error-single-quotes/#findComment-1036243 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.