Page 1 of 1

error with my php+mysql insert

Posted: Thu Mar 01, 2012 9:08 am
by kevrelland
Hi i am using FCKeditor to upload content into my db and if the copy has a ' in it mysql throws an error where it takes it as the out of the string
I have included my code

Any ideas on how to fix it
Cheers
Kev

Code: Select all

<?php
/* Add News Article */
if(isset($_POST["action"]) && $_POST["action"] == "AddNews") {
	$addNewsError = array();
	$_POST["title"] = isset($_POST["title"]) ? $_POST["title"] : "NULL";
	$_POST["content"] = isset($_POST["content"]) ? $_POST["content"] : "NULL";
	$_POST["date"] = isset($_POST["date"]) ? $_POST["date"] : "NULL";
	$_POST["online"] = isset($_POST["online"]) ? $_POST["online"] : "NULL";
		
	$query_rsNews = sprintf("INSERT INTO news (title, content, date, online) VALUES ('%s','%s','%s','%d')",$_POST["title"],$_POST["content"],$_POST["date"],$_POST["online"]);
	$rsNews = mysql_query($query_rsNews, $skittles) or die(mysql_error());
	header("Location: NewsActive.php?status=1"); 
	exit();
}
  
/* Delete News Article */
if (isset($_POST["DeleteNews"])){	
	$query_rsNews = "DELETE FROM news WHERE id=" . $_POST["id"];
	$rsNews = mysql_query($query_rsNews, $skittles) or die(mysql_error());
	header("Location: NewsActive.php?status=1"); 
	exit();
}

/* Update Existing News Article */
if(isset($_POST["action"]) && $_POST["action"] == "UpdateNews") {
	$_POST["title"] = isset($_POST["title"]) ? $_POST["title"] : "NULL";
	$_POST["content"] = isset($_POST["content"]) ? $_POST["content"] : "NULL";
	$_POST["online"] = isset($_POST["online"]) ? $_POST["online"] : "NULL";
		
	$query_rsNews = sprintf("UPDATE news SET title='%s', content='%s', online='%d' WHERE id=%d",$_POST["title"],$_POST["content"],$_POST["online"],$_POST["id"]);
	$rsNews = mysql_query($query_rsNews, $skittles) or die(mysql_error());
	header("Location: NewsActive.php?status=1"); 
	exit();
}
?>

Code: Select all

<form method="post" name="newsform" id="newsform" action="<?php echo($thisPageQS);?>">                    
                    <table cellspacing="0" class="NewsForm">
                        <tbody>
                            <tr id="NewsRow">
                                <td class="c1">Name</td>
                                <td class="c2"><input name="title" type="text" value="<?php echo(htmlentities($_POST["title"]));?>" size="75" tabindex="1" class="text"></td>
                            </tr>
                            <tr id="NewsRow">
                                <td class="c1">Online</td>
                                <td class="c2">
                                    <select name="online" tabindex="2"> 
                                        <?php if($_POST["online"] == "1" || $_POST["online"] == "") { 
                                            echo('<option value="1" selected="selected">Yes</option>');
                                            echo('<option value="0">No</option>');
                                        }else{
                                            echo('<option value="1" >Yes</option>');
                                            echo('<option value="0" selected="selected">No</option>');
                                        }?>
                                    </select>
                                </td>
                            </tr>
                            <tr id="NewsRow">
                                <td class="c1">Content</td>
                                <td class="c2"><?php $WARichTextEditor_1 = CreateRichTextEditor ("content", "../HTMLEditor/", "100%", "400px", "Default", "../custom/ContentForm_content_Content2.js", "".((isset($_POST["content"]))?$_POST["content"]:"")  .""); ?></td>
                            </tr>
                            <tr id="NewsRow">
                                <td class="c1" colspan="2">
                                <input type="hidden" name="id" value="<?php echo $row_rsGetNews["id"]; ?>" id="id" >
                                <?php if($_GET["News_ID"] != 0) { ?>
                                <input type="hidden" name="action" value="UpdateNews">
                                <input name="UpdateNews" type="submit" class="buttonMain" id="UpdateNews" value="Update News">
                                <input name="DeleteNews" type="submit" class="buttonMain" id="DeleteNews" onclick=";GP_popupConfirmMsg('Are you SURE you want to DELETE this Article? This action cannot be undone.');return document.MM_returnValue" value="Delete News">
                                <?php } else { ?>
                                <input type="hidden" name="date" value="<?php echo date('Y-m-d'); ?>">
                                <input type="hidden" name="action" value="AddNews">
                                <input name="AddNews" type="submit" class="buttonMain" id="AddNews" value="Add News Article">
                                <?php } ?>
                    			</td>
                            </tr>
                        </tbody>
                	</table>
                    </form>	

Re: error with my php+mysql insert

Posted: Thu Mar 01, 2012 9:47 am
by Celauran
You're passing unescaped data into your queries. Escape your data using mysql_real_escape_string() to protect against SQL injection and fix the problem you're currently having.