Page 1 of 1

Error when ' in the sql insert

Posted: Tue Aug 31, 2004 8:55 pm
by pinehead18
IN my forums if their is a ' in the subject it will add it to the db. However it will now allow people to post a reply. this is the error i get

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'm not one to complain..','1')' at line 2

This is my code..

Code: Select all

<?php
      $sql = "SELECT subject FROM topics WHERE tid='{$_POST['newtid']}'";
			$result = mysql_query($sql);
			$row = mysql_fetch_array($result);
				$subject = $row['subject'];	
				$subject = "RE:".$subject;
        		$sql = "INSERT INTO threads (tid,author,body,date,subject,forum_id) VALUES 
			('$newtid','$name','$body','$date','$subject','$fid')";
		  			mysql_query($sql,$con) or die(mysql_error());
                        mysql_close();

?>

Posted: Tue Aug 31, 2004 8:57 pm
by nigma
Check out php's manual entry for the function mysql_escape_string: http://us4.php.net/manual/en/function.m ... string.php

Let me know if things work out.

Posted: Tue Aug 31, 2004 9:17 pm
by tim
to add on to nigma, its better (also recommended) to use http://us4.php.net/manual/en/function.m ... string.php instead of the above suggested function.

Posted: Wed Sep 01, 2004 1:18 am
by Lord Sauron
$sql = "SELECT subject FROM topics WHERE tid='$_POST['newtid']';"

Posted: Wed Sep 01, 2004 8:32 am
by markl999
$sql = "SELECT subject FROM topics WHERE tid='$_POST['newtid']';"
Can't do that as the single quotes will mess it up ;)
Have to use $sql = "SELECT subject FROM topics WHERE tid='{$_POST['newtid']}';"