Beauford2016 Posted May 4, 2020 Share Posted May 4, 2020 I have an old site written for PHP 5.4 and under and trying (very trying) to get it to work with PHP 7x without much luck. Due to all the changes in 7 my code is one big error message, but one thing at a time. I cannot get the follow code to work at all, even though it worked in PHP 5. Error: QUERY ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'viewuser.php?u=666' id='member'>THE PREDATOR [666] was added to the hit' at line 1 The Query was INSERT INTO gangevents VALUES('','20', UNIX_TIMESTAMP(),'THE PREDATOR [666] was added to the hit list.') I have tried at least 20+ different ways of doing this but just can't get the right syntax to get it inserted into MySQL, the code below is just the latest version. If I echo the a href line out, it works perfect. I am sure it is something ridiculously simple, but I have been 4 hours and counting on this now. Thanks gangevent_add_2($gangdata['gangID'], "<a href='viewuser.php?u=".$r['userid']."' ".$csscode[$r['userlevel']-1].">".$r['username']."</a> [".$r['userid']."] was added to your hitlist"); function gangevent_add_2($gang, $text) { global $db; $csscode; $db->query("UPDATE users SET gangevent = gangevent + 1 WHERE gang={$gang}"); $db->query("INSERT INTO gangevents VALUES('','$gang', UNIX_TIMESTAMP(),'$text')"); } Quote Link to comment Share on other sites More sharing options...
gizmola Posted May 4, 2020 Share Posted May 4, 2020 It's fairly obvious I think. Your $text variable has single quotes in it. You are then trying to insert it: $db->query("INSERT INTO gangevents VALUES(...,'$text')"); Because you are not escaping the $text, you have conflicting single quotes because at runtime the $csscode... becomes: viewuser.php?u=666' id='member' Notice the single quotes around 'member'. Really you should be changing all your code to use parameters. That is a countermeasure for SQL injection exploits AND eliminates the need for you to escape input. But in the near term you could fix this by making sure that the code that generates id='member' instead generates id="member" Quote Link to comment Share on other sites More sharing options...
Beauford2016 Posted May 4, 2020 Author Share Posted May 4, 2020 (edited) I changed this so that id='member' generates id="member" and tried with leaving the single quotes around $text and also with removing them. Same issue. $csscode = array('id="member"','id="admin"','id="gm"','id="fm"','id="et"','id="mm"','id="ow"','id="ow"'); Also tried this - no quotes on member: $csscode = array('id=member','id="admin"','id="gm"','id="fm"','id="et"','id="mm"','id="ow"','id="ow"'); } Thanks Edited May 4, 2020 by Beauford2016 Quote Link to comment Share on other sites More sharing options...
Beauford2016 Posted May 4, 2020 Author Share Posted May 4, 2020 Got it, finally............. $vu = "<a href=viewuser.php?u=".$r['userid']." "; $cs = $csscode[$r['userlevel']-1].">".$r['username']."</a> "; $ui = "[".$r['userid']."] was added to your hitlist"; gangevent_add_2($gangdata['gangID'], $vu." ".$cs." ".$ui); Left the single quotes around '$text'. The above might of worked on one line, but never tried it. Thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.