graham23s Posted May 30, 2007 Share Posted May 30, 2007 Hey guys, i have written a private messaging script but if a user types: it's a nice day (for example) the ' causes an error this one: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's',now())' at line 2 heres my script: <?php $receiver_id = $_GET['id']; // start grabbing the info from the previous form...//////////////////////////////// $subject = trim(stripslashes($_POST['subject'])); $message = nl2br(trim(stripslashes($_POST['message']))); // make sure no blank entries...//////////////////////////////////////////////////// if(empty($subject) || empty($message)) { echo "<br /><b>No Fields Can Be Left Blank!</b><br /><br />"; include("includes/footer.php"); exit; } // grabe the senders id...////////////////////////////////////////////////////////// $query1 = "SELECT id FROM `membership` WHERE `username`='$member'"; $result1 = mysql_query($query1) or die (mysql_error()); $row = mysql_fetch_array($result1) or die (mysql_error()); // the senders id...//////////////////////////////////////////////////////////////// $sender_id = $row['id']; // now go about putting the information in the database...////////////////////////// $query2 = "INSERT INTO `pms` (`sender_id`,`reciever_id`,`subject`,`pm_message`,`date_added`) VALUES ('$sender_id','$receiver_id','$subject','$message',now())"; $result2 = mysql_query($query2) or die (mysql_error()); // was everything ok?...//////////////////////////////////////////////////////////// if ($result2) { echo "<br /><b>Private Message Was Successfully Sent!</b><br /><br />"; } else { echo "<br /><b>Sorry, There Was An Error Sending Your Message!</b><br /><br />"; } ?> thanks for any help Graham Link to comment https://forums.phpfreaks.com/topic/53624-solved-my-private-messaging-script-problem/ Share on other sites More sharing options...
chrisprse Posted May 30, 2007 Share Posted May 30, 2007 Hi After: $sender_id = $row['id']; Add in: addslashes($subject); addslashes($message); Hope this helps. Chris. Link to comment https://forums.phpfreaks.com/topic/53624-solved-my-private-messaging-script-problem/#findComment-265040 Share on other sites More sharing options...
pocobueno1388 Posted May 30, 2007 Share Posted May 30, 2007 Use mysql_real_escape_string() on every variable being inserted into the database. http://php.net/mysql_real_escape_string That will solve your problem. Then when you want to pull it from the DB, just use stripslashes on it. Link to comment https://forums.phpfreaks.com/topic/53624-solved-my-private-messaging-script-problem/#findComment-265042 Share on other sites More sharing options...
graham23s Posted May 30, 2007 Author Share Posted May 30, 2007 Thanks a lot guys solved. Graham Link to comment https://forums.phpfreaks.com/topic/53624-solved-my-private-messaging-script-problem/#findComment-265046 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.