Single Quote Syntax Error

[ajicles]

I have fixed the error before when it gave me the error when someone enters a single quote into a field. And it is doing it again for some reason.

 

Thanks AJ.

 

Error:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's voice is high listen to usher's.')' at line 3

 

<?php
$con = mysql_connect("mysql4.freehostia.com","ajilmf_likebook","*********");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("ajilmf_likebook", $con);

$result = mysql_query("SELECT * FROM facebook", $con);
$num_rows = mysql_num_rows($result);
$ID = $num_rows + 1;  

mysql_select_db("test");

$sql="INSERT INTO facebook(ID, post_content)
VALUES
('$ID','$_POST[post_content]')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo '<head><META HTTP-EQUIV="refresh" CONTENT="0;URL=http://likebook.cz.cc/like.php?id='.$ID.'"></head><br>';
echo '<center>If your browser does not support redirecting <a href="http://likebook.cz.cc/like.php?id='.$ID.'">click here</a>.</center>';
mysql_close($con)
?> 

[Mchl]

Use mysql_real_escape_string on your $_POST[] variables BEFORE you put them into your query.

[kenrbnsn]

Always use the function mysql_real_escape_string when inserting/updating data in a MySQL database.

 

<?php
$sql="INSERT INTO facebook(ID, post_content) VALUES ('$ID','" . mysql_real_escape_string($_POST[post_content]) . "')";
?>

 

If you don't, you're opening your script up to hackers.

 

Ken

 

[Mchl]

Always use the function mysql_real_escape_string when inserting/updating data in a MySQL database.

 

As well as SELECTing or DELETEing or anything.

[ajicles]

Thank you very much. I just learned PHP and MYSQL lastweek lol. Learn by online internet videos from Lynda.com

[ajicles]

It is still returning me an error when I enter single quotes into my form.

 

Here is the website I am using it in that I made: http://likebook.cz.cc

 

And where you enter a sentence with a single quote in it it returns an error.

 

Thanks

    ~AJ

 

ERROR:

Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'd always be there... Where are you now? ')' at line 3

 

PHP:

<?php
$con = mysql_connect("mysql4.freehostia.com","ajilmf_likebook","*********");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("ajilmf_likebook", $con);

$result = mysql_query("SELECT * FROM facebook", $con);
$num_rows = mysql_num_rows($result);
$ID = $num_rows + 1;  

mysql_select_db("ajilmf_likebook");

$sql="INSERT INTO facebook(ID, post_content) VALUES ('$ID','" . mysql_real_escape_string($_POST[post_content]) . "')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo '<head><META HTTP-EQUIV="refresh" CONTENT="0;URL=http://likebook.cz.cc/like.php?id='.$ID.'"></head><br>';
echo '<center>If your browser does not support redirecting <a href="http://likebook.cz.cc/like.php?id='.$ID.'">click here</a>.</center>';
mysql_close($con)
?> 

[Mchl]

Thank you very much. I just learned started learning PHP and MYSQL lastweek lol.

 

 

Are you sure you saved and uploaded your changes? People sometimes get confused about it

[ajicles]

Thank you very much. I just learned started learning PHP and MYSQL lastweek lol.

 

 

Are you sure you saved and uploaded your changes? People sometimes get confused about it

 

I believe I did. I'll check the webserver for any changes.  I forgot to upload to FTP it I was FTPING the wrong files.

 

Thank you so much for your help.

    ~ AJ

[kenrbnsn]

When you're just learning, it's much easier to use a webserver on your PC, such as xampp or wamp. I use xampp. Then you don't have to worry about uploading to another machine.

 

Ken

[ajicles]

When you're just learning, it's much easier to use a webserver on your PC, such as xampp or wamp. I use xampp. Then you don't have to worry about uploading to another machine.

 

Ken

 

I use WAMP at home and WAMPP at school. I had just finished my website and was uploading it with a few errors. Another error I came across was if entered a sentence like

 

"Don't Eat Yellow Snow"

 

It would work, but using Facebook's SDK if wouldn't make the page for it. It would only make a page that would be titled:

 

"Don'

 

Since the code for it was:

 

<meta property="og:title" content=''<?php echo $row[1]; ?>''/>

 

It would end the sentence at when the quotes were used. To fix that I use double single quotes ' ' not " or '

 

Problem fixed.

 

Thank you for your help.

    ~ AJ

 

[Mchl]

That is incorrect solution. You should use htmlentities function instead.