Jump to content

[SOLVED] my private messaging script problem

graham23s

By graham23s
in PHP Coding Help

 Share

Recommended Posts

graham23s Advanced Member

graham23s

Posted
Posted

Hey guys,

 

i have written a private messaging script but if a user types:

 

it's a nice day (for example) the ' causes an error this one:

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's',now())' at line 2

 

heres my script:

 

<?php 
     $receiver_id = $_GET['id'];  
       
     // start grabbing the info from the previous form...////////////////////////////////
     $subject = trim(stripslashes($_POST['subject']));
     $message = nl2br(trim(stripslashes($_POST['message'])));
     
     // make sure no blank entries...////////////////////////////////////////////////////
     if(empty($subject) || empty($message)) {
     
          echo "<br /><b>No Fields Can Be Left Blank!</b><br /><br />";   
          include("includes/footer.php");          
          exit;  
     
     }
          
     // grabe the senders id...//////////////////////////////////////////////////////////
     $query1 = "SELECT id FROM `membership` WHERE `username`='$member'";
     $result1 = mysql_query($query1) or die (mysql_error());
     $row = mysql_fetch_array($result1) or die (mysql_error());
     
     // the senders id...////////////////////////////////////////////////////////////////
     $sender_id = $row['id'];
     
     // now go about putting the information in the database...//////////////////////////
     $query2 = "INSERT INTO `pms` (`sender_id`,`reciever_id`,`subject`,`pm_message`,`date_added`)
                VALUES ('$sender_id','$receiver_id','$subject','$message',now())";
     $result2 = mysql_query($query2) or die (mysql_error());
     
     // was everything ok?...////////////////////////////////////////////////////////////
     if ($result2) {
     
          echo "<br /><b>Private Message Was Successfully Sent!</b><br /><br />";
     
     } else {
     
          echo "<br /><b>Sorry, There Was An Error Sending Your Message!</b><br /><br />";         
     
     }
?>

 

thanks for any help

 

Graham

pocobueno1388 Regular Member

pocobueno1388

Posted
Posted

Use mysql_real_escape_string() on every variable being inserted into the database.

http://php.net/mysql_real_escape_string

 

That will solve your problem. Then when you want to pull it from the DB, just use stripslashes on it.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.