Can't use apostrophes on my forum

I made my own forum on my website. When anyone tries to use an apostrophe (') in their post it shows the following message, and doesn't post the message

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 've been testing', 'main', '0', '0', '1281039669','2010-08-05 08:16:09')' at line 1

Code (markup):

Here is the PHP function after the if

mysql_query("INSERT INTO `topics` (`id`, `username`, `title`, `topictext`, `forum`, `locked`, `sticky`, `lastreply`,`made`,`crew`) VALUES ('', '$username', '$title1', '$topictext', '$forum', '0', '0', '$time','$timer','$fetch->crew');") or die (mysql_error());
}else{
mysql_query("INSERT INTO `topics` (`id`, `username`, `title`, `topictext`, `forum`, `locked`, `sticky`, `lastreply`,`made`) VALUES ('', '$username', '$title', '$topic_text', '$forum', '0', '0', '$time','$timer');") or die (mysql_error());
}
mysql_query("UPDATE users SET lasttop='$time' WHERE username='$username'");
mysql_query("UPDATE users SET topictime='$new_time' WHERE username='$username'");
$message =  "Topic Posted!";

PHP:

 

$topictext = htmlentities($topictext, ENT_QUOTES);

PHP:

Add this before you move on with queries and it should work.

 

it didnt work

 

Use mysql_real_escape_string() on all your inputs, before inserting to sql, this will not only prevent sql parsing issues but also prevent sql injection.

 

If you do not have the get_magic_quotes_gpc() add addslashes() to each input into the database, when you are displaying the string you need to use strip_slashes() to the string.

 

here is the main PHP code...

$title = strip_tags($_POST['title']);
$topic_text=strip_tags($_POST['topic_text']);
$forum=strip_tags($_POST['forum']);
$new_time = time('h-i-s') + 60;

if ($forum == "Crew" && $fetch->crew != "0"){
mysql_query("INSERT INTO `topics` (`id`, `username`, `title`, `topictext`, `forum`, `locked`, `sticky`, `lastreply`,`made`,`crew`) VALUES ('', '$username', '$title1', '$topic_text', '$forum', '0', '0', '$time','$timer','$fetch->crew');") or die (mysql_error());
}else{
mysql_query("INSERT INTO `topics` (`id`, `username`, `title`, `topictext`, `forum`, `locked`, `sticky`, `lastreply`,`made`) VALUES ('', '$username', '$title', '$topic_text', '$forum', '0', '0', '$time','$timer');") or die (mysql_error());
}
mysql_query("UPDATE users SET lasttop='$time' WHERE username='$username'");
mysql_query("UPDATE users SET topictime='$new_time' WHERE username='$username'");
$message =  "Topic Posted!";


}

PHP:

Can someone do it for me and put it on here because i'm getting all confused

Thanks

 

$title = mysql_real_escape_string(strip_tags($_POST['title']));
$topic_text = mysql_real_escape_string(strip_tags($_POST['topic_text']));
$forum = mysql_real_escape_string(strip_tags($_POST['forum']));
$new_time = time('h-i-s') + 60;

PHP:

If it doesn't work, replace "mysql_real_escape_string" with "strip_slashes"

 

Thanks but i've just tried both and still getting the syntax

 

Sorry, my mistake. I meant "addslashes", try it.

Edit: It will replace apostrophe by adding backslash on it's left.

 

nope, still no luck

 

The only tool left to me is: htmlspecialchars

I don't know anymore :-( Try if it works for you. Moreover, recheck your code to make sure that you're not making any other mistake.

Try submitting form without adding special characters to see if its working.

 

Tried that, still not working, i've tried submitting without adding apostrophes and it posts successfully, its just when an apostrophe is used

 

Post your current code here.

 

After trying everything you told me, here it is

$title = htmlspecialchars(strip_tags($_POST['title']));
$topic_text = htmlspecialchars(strip_tags($_POST['topic_text']));
$forum = htmlspecialchars(strip_tags($_POST['forum']));
$new_time = time('h-i-s') + 60;

if ($forum == "Crew" && $fetch->crew != "0"){
mysql_query("INSERT INTO `topics` (`id`, `username`, `title`, `topictext`, `forum`, `locked`, `sticky`, `lastreply`,`made`,`crew`) VALUES ('', '$username', '$title1', '$topic_text', '$forum', '0', '0', '$time','$timer','$fetch->crew');") or die (mysql_error());
}else{
mysql_query("INSERT INTO `topics` (`id`, `username`, `title`, `topictext`, `forum`, `locked`, `sticky`, `lastreply`,`made`) VALUES ('', '$username', '$title', '$topic_text', '$forum', '0', '0', '$time','$timer');") or die (mysql_error());
}
mysql_query("UPDATE users SET lasttop='$time' WHERE username='$username'");
mysql_query("UPDATE users SET topictime='$new_time' WHERE username='$username'");
$message =  "Topic Posted!";


}}

PHP:

 

Sorry, i couldn't figure this out.

 

First make sure that the database is clean, then just add this to each variable you are posting

// Inserting
$string = addslashes(strip_tags($_POST['field']));
// Displaying
$string = stripslashes($string);

PHP:

 

Go back to the mysql_real_escape_string recommendation.

 

Using htmlspecialchars() to sanitize quotes and such is definitely not good. You're essentially transforming an apostrophe into '
You should be using htmlspecialchars() selectively, like if you want to prevent someone from adding HTML tags into a text field but don't want to strip them.

All you really need to do is mysql_real_escape_string(), you might as well trim() it too, and if you want to just chop out HTML tags then use strip_tags().

Example:
$myVariable = mysql_real_escape_string(strip_tags(trim($_POST["myVariable"])));

You should be using mysqli_ instead of mysql_ too unless your host is 100 years behind the times, then you can at least use parameterized queries and not have to worry about SQL injection or escaping certain characters.

I'm curious how you managed to make your own forum that has over 30,000+ threads without anyone ever using an apostrophe too. This is the most important part of the thread IMO.