Jump to content

PHP MySQL insert problem


Beauford2016

Recommended Posts

I have an old site written for PHP 5.4 and under and trying (very trying) to get it to work with PHP 7x without much luck. Due to all the changes in 7 my code is one big error message, but one thing at a time. I cannot get the follow code to work at all, even though it worked in PHP 5.

Error:

QUERY ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'viewuser.php?u=666' id='member'>THE PREDATOR [666] was added to the hit' at line 1
The Query was INSERT INTO gangevents VALUES('','20', UNIX_TIMESTAMP(),'THE  PREDATOR [666] was added to the hit list.')

I have tried at least 20+ different ways of doing this but just can't get the right syntax to get it inserted into MySQL, the code below is just the latest version.  If I echo the a href line out, it works perfect. 

I am sure it is something ridiculously simple, but I have been 4 hours and counting on this now.

Thanks

gangevent_add_2($gangdata['gangID'], "<a href='viewuser.php?u=".$r['userid']."' ".$csscode[$r['userlevel']-1].">".$r['username']."</a> [".$r['userid']."] was added to your hitlist");

function gangevent_add_2($gang, $text) { 
	global $db; $csscode; 
	$db->query("UPDATE users SET gangevent = gangevent + 1 WHERE gang={$gang}");
	$db->query("INSERT INTO gangevents VALUES('','$gang', UNIX_TIMESTAMP(),'$text')");
}

 

Link to comment
Share on other sites

It's fairly obvious I think.  

Your $text variable has single quotes in it.  You are then trying to insert it:

$db->query("INSERT INTO gangevents VALUES(...,'$text')");

Because you are not escaping the $text, you have conflicting single quotes because at runtime the $csscode...  becomes:

viewuser.php?u=666' id='member'

Notice the single quotes around 'member'.

Really you should be changing all your code to use parameters.  That is a countermeasure for SQL injection exploits AND eliminates the need for you to escape input.

But in the near term you could fix this by making sure that the code that generates  id='member' instead generates id="member"

Link to comment
Share on other sites

I changed this so that  id='member' generates id="member" and tried with leaving the single quotes around $text and also with removing them. Same issue.

$csscode = array('id="member"','id="admin"','id="gm"','id="fm"','id="et"','id="mm"','id="ow"','id="ow"');

Also tried this - no quotes on member:

$csscode = array('id=member','id="admin"','id="gm"','id="fm"','id="et"','id="mm"','id="ow"','id="ow"'); }

Thanks

Edited by Beauford2016
Link to comment
Share on other sites

Got it, finally.............

				$vu = "<a href=viewuser.php?u=".$r['userid']." ";
				$cs = $csscode[$r['userlevel']-1].">".$r['username']."</a> ";
				$ui = "[".$r['userid']."] was added to your hitlist";

				gangevent_add_2($gangdata['gangID'], $vu." ".$cs." ".$ui);

Left the single quotes around '$text'. The above might of worked on one line, but never tried it.

Thanks

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.