Error when ' in the sql insert

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
pinehead18
Forum Contributor
Posts: 329
Joined: Thu Jul 31, 2003 9:20 pm

Error when ' in the sql insert

Post by pinehead18 »

IN my forums if their is a ' in the subject it will add it to the db. However it will now allow people to post a reply. this is the error i get

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'm not one to complain..','1')' at line 2

This is my code..

Code: Select all

<?php
      $sql = "SELECT subject FROM topics WHERE tid='{$_POST['newtid']}'";
			$result = mysql_query($sql);
			$row = mysql_fetch_array($result);
				$subject = $row['subject'];	
				$subject = "RE:".$subject;
        		$sql = "INSERT INTO threads (tid,author,body,date,subject,forum_id) VALUES 
			('$newtid','$name','$body','$date','$subject','$fid')";
		  			mysql_query($sql,$con) or die(mysql_error());
                        mysql_close();

?>
User avatar
nigma
DevNet Resident
Posts: 1094
Joined: Sat Jan 25, 2003 1:49 am

Post by nigma »

Check out php's manual entry for the function mysql_escape_string: http://us4.php.net/manual/en/function.m ... string.php

Let me know if things work out.
User avatar
tim
DevNet Resident
Posts: 1165
Joined: Thu Feb 12, 2004 7:19 pm
Location: ohio

Post by tim »

to add on to nigma, its better (also recommended) to use http://us4.php.net/manual/en/function.m ... string.php instead of the above suggested function.
User avatar
Lord Sauron
Forum Commoner
Posts: 85
Joined: Tue Apr 20, 2004 5:53 am
Location: Tilburg, NL

Post by Lord Sauron »

$sql = "SELECT subject FROM topics WHERE tid='$_POST['newtid']';"
User avatar
markl999
DevNet Resident
Posts: 1972
Joined: Thu Oct 16, 2003 5:49 pm
Location: Manchester (UK)

Post by markl999 »

$sql = "SELECT subject FROM topics WHERE tid='$_POST['newtid']';"
Can't do that as the single quotes will mess it up ;)
Have to use $sql = "SELECT subject FROM topics WHERE tid='{$_POST['newtid']}';"
Post Reply