Problem with apostrophe (')

[cdmafra]

Hello

 

I have a problem with my website. I can publish news normally (even whitout an editing system), but there is always a problem: I can't post news that contains a apostrophe ('), because of an error that I don't understand:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '</p>','','','','','Autos/Pistas')' at line 1

 

 

My code to submit news:

$publish="INSERT INTO news(news_title,news_subtitle,news_desc,news_post,news_date,hour,news_image,news_image_peq,categoria) VALUES('".$_POST["news_title"]."','".$_POST["news_subtitle"]."','".$_POST["news_desc"]."','".$_POST["news_post"]."','".$_POST["news_date"]."','".$_POST["hour"]."','".$_POST["news_image"]."','".$_POST["news_image_peq"]."','".$_POST["categoria"]."')";

 

Thank you in advance

Edited September 9, 2013 by cdmafra

[cdmafra]

  e

Edited September 9, 2013 by cdmafra

[Muddy_Funster]

your problem is that you are not sanitizing your input strings.  thus your apostrophe is breaking the string that is being sent to the sql server.  it's a far bigger problem than you think as it means you are wide open to SQL injection.  I'll assume you are using the mysql_ librarary - as such you should be running every input string through mysql_real_escape_string() before sending it through your query.  if you happen to be using PDO or mysqli_ then you should be using prepared statements.

[cdmafra]

your problem is that you are not sanitizing your input strings.  thus your apostrophe is breaking the string that is being sent to the sql server.  it's a far bigger problem than you think as it means you are wide open to SQL injection.  I'll assume you are using the mysql_ librarary - as such you should be running every input string through mysql_real_escape_string() before sending it through your query.  if you happen to be using PDO or mysqli_ then you should be using prepared statements.

Thank you.

 

Where must I insert mysql_real_escape_string(); ?

[cataiin]

Thank you.

 

Where must I insert mysql_real_escape_string(); ?

$news_title = mysql_real_escape_string($_POST['news_title']);

$publish="INSERT INTO news(news_title,news_subtitle,news_desc,news_post,news_date,hour,news_image,news_image_peq,categoria) VALUES('$news_title','".$_POST["news_subtitle"]."','".$_POST["news_desc"]."','".$_POST["news_post"]."','".$_POST["news_date"]."','".$_POST["hour"]."','".$_POST["news_image"]."','".$_POST["news_image_peq"]."','".$_POST["categoria"]."')";

 

Ofc, for every value you send to MySQL.

Edited September 9, 2013 by cataiin

[Muddy_Funster]

every string value that you are sending to the database server should be run through mysql_real_escape_sting().  You should also have basic sense checking in place to make sure that values exist, have a practical length, and are indeed of an expected format.  Also you will need to sanitize numerical values on your own.

 

Also guys, it would be nice if you could both read the forum rules and start using code tags around all you code postings.

[cyberRobot]

The PHP manual shows how to use mysql_real_escape_string(). It also provides an example SQL Injection Attack which could be used against an unprotected query. 

http://php.net/manual/en/function.mysql-real-escape-string.php

 

Side note: the mysql_ functions are officially depreciated. If you're not doing so already, you should start considering the alternatives:

http://www.php.net/manual/en/mysqlinfo.api.choosing.php

[cdmafra]

Solved... thank you!

[cyberRobot]

I have marked the thread as solved. If you need anything else, please mark it as unsolved...or start a new thread.