Jump to content

Problem with apostrophe (')


cdmafra

Recommended Posts

Hello

 

I have a problem with my website. I can publish news normally (even whitout an editing system), but there is always a problem: I can't post news that contains a apostrophe ('), because of an error that I don't understand:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '</p>','','','','','Autos/Pistas')' at line 1

 

 

My code to submit news:

$publish="INSERT INTO news(news_title,news_subtitle,news_desc,news_post,news_date,hour,news_image,news_image_peq,categoria) VALUES('".$_POST["news_title"]."','".$_POST["news_subtitle"]."','".$_POST["news_desc"]."','".$_POST["news_post"]."','".$_POST["news_date"]."','".$_POST["hour"]."','".$_POST["news_image"]."','".$_POST["news_image_peq"]."','".$_POST["categoria"]."')";

 

Thank you in advance

Link to comment
Share on other sites

your problem is that you are not sanitizing your input strings.  thus your apostrophe is breaking the string that is being sent to the sql server.  it's a far bigger problem than you think as it means you are wide open to SQL injection.  I'll assume you are using the mysql_ librarary - as such you should be running every input string through mysql_real_escape_string() before sending it through your query.  if you happen to be using PDO or mysqli_ then you should be using prepared statements.

Link to comment
Share on other sites

your problem is that you are not sanitizing your input strings.  thus your apostrophe is breaking the string that is being sent to the sql server.  it's a far bigger problem than you think as it means you are wide open to SQL injection.  I'll assume you are using the mysql_ librarary - as such you should be running every input string through mysql_real_escape_string() before sending it through your query.  if you happen to be using PDO or mysqli_ then you should be using prepared statements.

Thank you.

 

Where must I insert mysql_real_escape_string(); ?

Link to comment
Share on other sites

Thank you.

 

Where must I insert mysql_real_escape_string(); ?

$news_title = mysql_real_escape_string($_POST['news_title']);

$publish="INSERT INTO news(news_title,news_subtitle,news_desc,news_post,news_date,hour,news_image,news_image_peq,categoria) VALUES('$news_title','".$_POST["news_subtitle"]."','".$_POST["news_desc"]."','".$_POST["news_post"]."','".$_POST["news_date"]."','".$_POST["hour"]."','".$_POST["news_image"]."','".$_POST["news_image_peq"]."','".$_POST["categoria"]."')";

 

Ofc, for every value you send to MySQL.

Link to comment
Share on other sites

every string value that you are sending to the database server should be run through mysql_real_escape_sting().  You should also have basic sense checking in place to make sure that values exist, have a practical length, and are indeed of an expected format.  Also you will need to sanitize numerical values on your own.

 

Also guys, it would be nice if you could both read the forum rules and start using code tags around all you code postings.

Link to comment
Share on other sites

The PHP manual shows how to use mysql_real_escape_string(). It also provides an example SQL Injection Attack which could be used against an unprotected query. 

http://php.net/manual/en/function.mysql-real-escape-string.php

 

Side note: the mysql_ functions are officially depreciated. If you're not doing so already, you should start considering the alternatives:

http://www.php.net/manual/en/mysqlinfo.api.choosing.php

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.