SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    John 8:24 JREAM's Avatar
    Join Date
    Sep 2007
    Location
    Florida
    Posts
    1,508
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    html special chars, or magic gpc quotes

    I was wondering what is the popular one to use for importing safe MySQL stuff? I think gpc_mq is going off in php6 or something like that, but what do you guys use for this i dont wanna use htmlspecialchars if its outta date.

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc='a page about a guy lol', content='Willard Christopher \"Will\" Smith, J' at line 6

  2. #2
    John 8:24 JREAM's Avatar
    Join Date
    Sep 2007
    Location
    Florida
    Posts
    1,508
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oh mysql real escape strings I think it is

  3. #3
    dooby dooby doo silver trophybronze trophy
    spikeZ's Avatar
    Join Date
    Aug 2004
    Location
    Manchester UK
    Posts
    13,807
    Mentioned
    158 Post(s)
    Tagged
    3 Thread(s)
    Yes it is JREAM

    Off Topic:

    thanks for the report btw
    Mike Swiffin - Community Team Advisor
    Only a woman can read between the lines of a one word answer.....

  4. #4
    John 8:24 JREAM's Avatar
    Join Date
    Sep 2007
    Location
    Florida
    Posts
    1,508
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks :-]

    I guess I didn't crack the code!


    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc='a page about a guy lol', content='test', parent_id='0', position=' at line 6

    I printed out the SQL statement and I don't know if I am missing something written wrong I've gone over it a few times. (I just put will smith in there because it was the first thing i thought of LOL)

    INSERT INTO page SET title='TEST', slug='will-smith', breadcrumb='Will Smith', keywords='music, rapper, cool', desc='a page about a guy lol', content='test', parent_id='0', position='3'

    PHP Code:
    $title $_POST['title'];
    $slug mysql_real_escape_string($_POST['slug']);
    $breadcrumb mysql_real_escape_string($_POST['breadcrumb']);
    $keywords mysql_real_escape_string($_POST['keywords']);
    $description mysql_real_escape_string($_POST['desc']);
    $content mysql_real_escape_string($_POST['content']);
    $parent_id $_POST['parent_id']; // !!!!!do a number validation l8r
    $position $_POST['position'];// !!!!!do a number validation l8r

    //validation junk here l8r

        // Do SQL Here
        
            
    $query "INSERT INTO page SET
            title='
    $title',
            slug='
    $slug',
            breadcrumb='
    $breadcrumb',
            keywords='
    $keywords',
            desc='
    $description',
            content='
    $content',
            parent_id='
    $parent_id',
            position='
    $position'"

  5. #5
    SitePoint Enthusiast Wuiqed's Avatar
    Join Date
    Dec 2006
    Location
    Sweden
    Posts
    52
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Take a look at this Nettuts article and scroll down to the SQL Injection section. They recommend using addcslashes instead of mysql_real_escape_string to also escape the percent sign (%).

    To solve your current problem: you are using the INSERT query wrong. SET is used in an UPDATE query. Your INSERT query should look like this:
    PHP Code:
    $query "INSERT INTO page (title, slug, breadcrumb, keywords, desc, content, parent_id, position) 
              VALUES ('
    $title', '$slug', '$breadcrumb', '$keywords', '$desc', '$content', '$parent_id', '$position') 

  6. #6
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    desc is a reserved word in mysql
    http://dev.mysql.com/doc/refman/5.1/...ved-words.html


    either use backticks `desc` or just do the right thing and change the name to description or something else.


    Btw, use prepared statements and you don't have to mess with escaping values used in sql querys anymore. You would do yourself some good to familiarize yourself with PDO

  7. #7
    John 8:24 JREAM's Avatar
    Join Date
    Sep 2007
    Location
    Florida
    Posts
    1,508
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    cool thanks oyu guys i just woke up lol..

    I am trying to take this is one crumb at a time this will get very complex if i dont go slow haha


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •