cdmafra Posted September 9, 2013 Share Posted September 9, 2013 (edited) Hello I have a problem with my website. I can publish news normally (even whitout an editing system), but there is always a problem: I can't post news that contains a apostrophe ('), because of an error that I don't understand: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '</p>','','','','','Autos/Pistas')' at line 1 My code to submit news: $publish="INSERT INTO news(news_title,news_subtitle,news_desc,news_post,news_date,hour,news_image,news_image_peq,categoria) VALUES('".$_POST["news_title"]."','".$_POST["news_subtitle"]."','".$_POST["news_desc"]."','".$_POST["news_post"]."','".$_POST["news_date"]."','".$_POST["hour"]."','".$_POST["news_image"]."','".$_POST["news_image_peq"]."','".$_POST["categoria"]."')"; Thank you in advance Edited September 9, 2013 by cdmafra Quote Link to comment Share on other sites More sharing options...
cdmafra Posted September 9, 2013 Author Share Posted September 9, 2013 (edited) e Edited September 9, 2013 by cdmafra Quote Link to comment Share on other sites More sharing options...
Muddy_Funster Posted September 9, 2013 Share Posted September 9, 2013 your problem is that you are not sanitizing your input strings. thus your apostrophe is breaking the string that is being sent to the sql server. it's a far bigger problem than you think as it means you are wide open to SQL injection. I'll assume you are using the mysql_ librarary - as such you should be running every input string through mysql_real_escape_string() before sending it through your query. if you happen to be using PDO or mysqli_ then you should be using prepared statements. Quote Link to comment Share on other sites More sharing options...
cdmafra Posted September 9, 2013 Author Share Posted September 9, 2013 your problem is that you are not sanitizing your input strings. thus your apostrophe is breaking the string that is being sent to the sql server. it's a far bigger problem than you think as it means you are wide open to SQL injection. I'll assume you are using the mysql_ librarary - as such you should be running every input string through mysql_real_escape_string() before sending it through your query. if you happen to be using PDO or mysqli_ then you should be using prepared statements. Thank you. Where must I insert mysql_real_escape_string(); ? Quote Link to comment Share on other sites More sharing options...
cataiin Posted September 9, 2013 Share Posted September 9, 2013 (edited) Thank you. Where must I insert mysql_real_escape_string(); ? $news_title = mysql_real_escape_string($_POST['news_title']); $publish="INSERT INTO news(news_title,news_subtitle,news_desc,news_post,news_date,hour,news_image,news_image_peq,categoria) VALUES('$news_title','".$_POST["news_subtitle"]."','".$_POST["news_desc"]."','".$_POST["news_post"]."','".$_POST["news_date"]."','".$_POST["hour"]."','".$_POST["news_image"]."','".$_POST["news_image_peq"]."','".$_POST["categoria"]."')"; Ofc, for every value you send to MySQL. Edited September 9, 2013 by cataiin Quote Link to comment Share on other sites More sharing options...
Muddy_Funster Posted September 9, 2013 Share Posted September 9, 2013 every string value that you are sending to the database server should be run through mysql_real_escape_sting(). You should also have basic sense checking in place to make sure that values exist, have a practical length, and are indeed of an expected format. Also you will need to sanitize numerical values on your own. Also guys, it would be nice if you could both read the forum rules and start using code tags around all you code postings. Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted September 9, 2013 Share Posted September 9, 2013 The PHP manual shows how to use mysql_real_escape_string(). It also provides an example SQL Injection Attack which could be used against an unprotected query. http://php.net/manual/en/function.mysql-real-escape-string.php Side note: the mysql_ functions are officially depreciated. If you're not doing so already, you should start considering the alternatives: http://www.php.net/manual/en/mysqlinfo.api.choosing.php Quote Link to comment Share on other sites More sharing options...
Solution cdmafra Posted September 13, 2013 Author Solution Share Posted September 13, 2013 Solved... thank you! Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted September 13, 2013 Share Posted September 13, 2013 I have marked the thread as solved. If you need anything else, please mark it as unsolved...or start a new thread. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.