[SOLVED] Syntax Error

[almightyegg]

$info = "<a href='/player/view.php?id=$mem[id]'>$mem[username]</a> bought $amounttt of <a href='index.php?code=$row[code]&sort=$userid[sort]'>$item[name]'s</a> from you for $costtt gold.";

 

This line echoes out a syntax error?

 

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '?id=1'>Lord of the Abyss bought 4,200 of <a href='index.php?code=wweed&sort=' at line 2[/code]

[dbo]

Show where you are processing the query. Though my guess is that it's because you're not escaping the input before sending it to the database which is breaking your query and is also a way hackers can perform SQL injection.

[almightyegg]

$info = "<a href='/player/view.php?id={$mem['id']}'>{$mem['username']}</a> bought $amounttt of <a href='index.php?code={$row['code']}&sort={$userid['sort']}'>{$item['name']}'s</a> from you for $costtt gold.";
$news = mysql_query("INSERT INTO news (`userid`, `info`, `timestamp`) 
	VALUES('{$userid['id']}', '$info', '$timestamp')") or die(mysql_error());

[dbo]

Yeah that's exactly the problem. Your ' are breaking the query. Try changing it to:

 

$news = mysql_query("INSERT INTO news (`userid`, `info`, `timestamp`) 
	VALUES('{$userid['id']}', '" . mysql_real_escape_string($info) . "', '$timestamp')") or die(mysql_error());

[almightyegg]

cheers, worked great

[dbo]

Just as a general rule of thumb you should always filter your input... make sure that the users have followed your rules, right datatypes, lengths, formats etc and then escape it before committing the record to the database.

 

Always always always! This will help maintain site security and data integrity.

 

And on that note I just got my phone call so I'm out of here for the night guys. Goodluck!