1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Can't use apostrophes on my forum

Discussion in 'PHP' started by CuBz, Aug 5, 2010.

  1. #1
    I made my own forum on my website. When anyone tries to use an apostrophe (') in their post it shows the following message, and doesn't post the message

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 've been testing', 'main', '0', '0', '1281039669','2010-08-05 08:16:09')' at line 1
    Code (markup):
    Here is the PHP function after the if

    mysql_query("INSERT INTO `topics` (`id`, `username`, `title`, `topictext`, `forum`, `locked`, `sticky`, `lastreply`,`made`,`crew`) VALUES ('', '$username', '$title1', '$topictext', '$forum', '0', '0', '$time','$timer','$fetch->crew');") or die (mysql_error());
    }else{
    mysql_query("INSERT INTO `topics` (`id`, `username`, `title`, `topictext`, `forum`, `locked`, `sticky`, `lastreply`,`made`) VALUES ('', '$username', '$title', '$topic_text', '$forum', '0', '0', '$time','$timer');") or die (mysql_error());
    }
    mysql_query("UPDATE users SET lasttop='$time' WHERE username='$username'");
    mysql_query("UPDATE users SET topictime='$new_time' WHERE username='$username'");
    $message =  "Topic Posted!";
    PHP:
     
    CuBz, Aug 5, 2010 IP
  2. ActiveFrost

    ActiveFrost Notable Member

    Messages:
    2,072
    Likes Received:
    63
    Best Answers:
    3
    Trophy Points:
    245
    #2
    $topictext = htmlentities($topictext, ENT_QUOTES);
    PHP:
    Add this before you move on with queries and it should work.
     
    ActiveFrost, Aug 5, 2010 IP
  3. CuBz

    CuBz Peon

    Messages:
    117
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    it didnt work
     
    CuBz, Aug 5, 2010 IP
  4. danx10

    danx10 Peon

    Messages:
    1,179
    Likes Received:
    44
    Best Answers:
    2
    Trophy Points:
    0
    #4
    Use mysql_real_escape_string() on all your inputs, before inserting to sql, this will not only prevent sql parsing issues but also prevent sql injection.
     
    danx10, Aug 5, 2010 IP
  5. HuggyEssex

    HuggyEssex Member

    Messages:
    297
    Likes Received:
    4
    Best Answers:
    2
    Trophy Points:
    45
    #5
    If you do not have the get_magic_quotes_gpc() add addslashes() to each input into the database, when you are displaying the string you need to use strip_slashes() to the string.
     
    HuggyEssex, Aug 5, 2010 IP
  6. CuBz

    CuBz Peon

    Messages:
    117
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #6
    here is the main PHP code...

    $title = strip_tags($_POST['title']);
    $topic_text=strip_tags($_POST['topic_text']);
    $forum=strip_tags($_POST['forum']);
    $new_time = time('h-i-s') + 60;
    
    if ($forum == "Crew" && $fetch->crew != "0"){
    mysql_query("INSERT INTO `topics` (`id`, `username`, `title`, `topictext`, `forum`, `locked`, `sticky`, `lastreply`,`made`,`crew`) VALUES ('', '$username', '$title1', '$topic_text', '$forum', '0', '0', '$time','$timer','$fetch->crew');") or die (mysql_error());
    }else{
    mysql_query("INSERT INTO `topics` (`id`, `username`, `title`, `topictext`, `forum`, `locked`, `sticky`, `lastreply`,`made`) VALUES ('', '$username', '$title', '$topic_text', '$forum', '0', '0', '$time','$timer');") or die (mysql_error());
    }
    mysql_query("UPDATE users SET lasttop='$time' WHERE username='$username'");
    mysql_query("UPDATE users SET topictime='$new_time' WHERE username='$username'");
    $message =  "Topic Posted!";
    
    
    }
    PHP:
    Can someone do it for me and put it on here because i'm getting all confused

    Thanks
     
    CuBz, Aug 5, 2010 IP
  7. khan11

    khan11 Active Member

    Messages:
    615
    Likes Received:
    15
    Best Answers:
    0
    Trophy Points:
    58
    #7
    
    $title = mysql_real_escape_string(strip_tags($_POST['title']));
    $topic_text = mysql_real_escape_string(strip_tags($_POST['topic_text']));
    $forum = mysql_real_escape_string(strip_tags($_POST['forum']));
    $new_time = time('h-i-s') + 60;
    
    PHP:
    If it doesn't work, replace "mysql_real_escape_string" with "strip_slashes"
     
    khan11, Aug 5, 2010 IP
  8. CuBz

    CuBz Peon

    Messages:
    117
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #8
    Thanks but i've just tried both and still getting the syntax :confused:
     
    CuBz, Aug 5, 2010 IP
  9. khan11

    khan11 Active Member

    Messages:
    615
    Likes Received:
    15
    Best Answers:
    0
    Trophy Points:
    58
    #9
    Sorry, my mistake. I meant "addslashes", try it.

    Edit: It will replace apostrophe by adding backslash on it's left.
     
    khan11, Aug 5, 2010 IP
  10. CuBz

    CuBz Peon

    Messages:
    117
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #10
    nope, still no luck
     
    CuBz, Aug 5, 2010 IP
  11. khan11

    khan11 Active Member

    Messages:
    615
    Likes Received:
    15
    Best Answers:
    0
    Trophy Points:
    58
    #11
    The only tool left to me is: htmlspecialchars

    I don't know anymore :-( Try if it works for you. Moreover, recheck your code to make sure that you're not making any other mistake.

    Try submitting form without adding special characters to see if its working.
     
    khan11, Aug 5, 2010 IP
  12. CuBz

    CuBz Peon

    Messages:
    117
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #12
    Tried that, still not working, i've tried submitting without adding apostrophes and it posts successfully, its just when an apostrophe is used
     
    CuBz, Aug 5, 2010 IP
  13. khan11

    khan11 Active Member

    Messages:
    615
    Likes Received:
    15
    Best Answers:
    0
    Trophy Points:
    58
    #13
    Post your current code here.
     
    khan11, Aug 5, 2010 IP
  14. CuBz

    CuBz Peon

    Messages:
    117
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #14
    After trying everything you told me, here it is

    $title = htmlspecialchars(strip_tags($_POST['title']));
    $topic_text = htmlspecialchars(strip_tags($_POST['topic_text']));
    $forum = htmlspecialchars(strip_tags($_POST['forum']));
    $new_time = time('h-i-s') + 60;
    
    if ($forum == "Crew" && $fetch->crew != "0"){
    mysql_query("INSERT INTO `topics` (`id`, `username`, `title`, `topictext`, `forum`, `locked`, `sticky`, `lastreply`,`made`,`crew`) VALUES ('', '$username', '$title1', '$topic_text', '$forum', '0', '0', '$time','$timer','$fetch->crew');") or die (mysql_error());
    }else{
    mysql_query("INSERT INTO `topics` (`id`, `username`, `title`, `topictext`, `forum`, `locked`, `sticky`, `lastreply`,`made`) VALUES ('', '$username', '$title', '$topic_text', '$forum', '0', '0', '$time','$timer');") or die (mysql_error());
    }
    mysql_query("UPDATE users SET lasttop='$time' WHERE username='$username'");
    mysql_query("UPDATE users SET topictime='$new_time' WHERE username='$username'");
    $message =  "Topic Posted!";
    
    
    }}
    
    PHP:
     
    CuBz, Aug 5, 2010 IP
  15. khan11

    khan11 Active Member

    Messages:
    615
    Likes Received:
    15
    Best Answers:
    0
    Trophy Points:
    58
    #15
    Sorry, i couldn't figure this out. :(
     
    khan11, Aug 5, 2010 IP
  16. HuggyEssex

    HuggyEssex Member

    Messages:
    297
    Likes Received:
    4
    Best Answers:
    2
    Trophy Points:
    45
    #16
    First make sure that the database is clean, then just add this to each variable you are posting

    
    // Inserting
    $string = addslashes(strip_tags($_POST['field']));
    // Displaying
    $string = stripslashes($string);
    
    PHP:
     
    HuggyEssex, Aug 6, 2010 IP
  17. scriptinstaller

    scriptinstaller Peon

    Messages:
    109
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #17
    Go back to the mysql_real_escape_string recommendation.
     
    scriptinstaller, Aug 8, 2010 IP
  18. AntelopeSalad

    AntelopeSalad Peon

    Messages:
    85
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #18
    Using htmlspecialchars() to sanitize quotes and such is definitely not good. You're essentially transforming an apostrophe into '
    You should be using htmlspecialchars() selectively, like if you want to prevent someone from adding HTML tags into a text field but don't want to strip them.

    All you really need to do is mysql_real_escape_string(), you might as well trim() it too, and if you want to just chop out HTML tags then use strip_tags().

    Example:
    $myVariable = mysql_real_escape_string(strip_tags(trim($_POST["myVariable"])));

    You should be using mysqli_ instead of mysql_ too unless your host is 100 years behind the times, then you can at least use parameterized queries and not have to worry about SQL injection or escaping certain characters.

    I'm curious how you managed to make your own forum that has over 30,000+ threads without anyone ever using an apostrophe too. This is the most important part of the thread IMO.
     
    AntelopeSalad, Aug 8, 2010 IP