html special chars, or magic gpc quotes

**JREAM** · Feb 15, 2009 07:56

I was wondering what is the popular one to use for importing safe MySQL stuff? I think gpc_mq is going off in php6 or something like that, but what do you guys use for this i dont wanna use htmlspecialchars if its outta date.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc='a page about a guy lol', content='Willard Christopher \"Will\" Smith, J' at line 6

**JREAM** · Feb 15, 2009 08:10

Oh mysql real escape strings I think it is

**spikeZ** · Feb 15, 2009 08:19

Yes it is JREAM

Off Topic:

thanks for the report btw

**JREAM** · Feb 15, 2009 08:25

Thanks :-]

I guess I didn't crack the code!

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'desc='a page about a guy lol', content='test', parent_id='0', position=' at line 6

I printed out the SQL statement and I don't know if I am missing something written wrong I've gone over it a few times. (I just put will smith in there because it was the first thing i thought of LOL)

INSERT INTO page SET title='TEST', slug='will-smith', breadcrumb='Will Smith', keywords='music, rapper, cool', desc='a page about a guy lol', content='test', parent_id='0', position='3'

PHP Code:


$title = $_POST['title'];
$slug = mysql_real_escape_string($_POST['slug']);
$breadcrumb = mysql_real_escape_string($_POST['breadcrumb']);
$keywords = mysql_real_escape_string($_POST['keywords']);
$description = mysql_real_escape_string($_POST['desc']);
$content = mysql_real_escape_string($_POST['content']);
$parent_id = $_POST['parent_id']; // !!!!!do a number validation l8r
$position = $_POST['position'];// !!!!!do a number validation l8r

//validation junk here l8r

    // Do SQL Here
    
        $query = "INSERT INTO page SET
        title='$title',
        slug='$slug',
        breadcrumb='$breadcrumb',
        keywords='$keywords',
        desc='$description',
        content='$content',
        parent_id='$parent_id',
        position='$position'";

**Wuiqed** · Feb 15, 2009 08:34

Take a look at this Nettuts article and scroll down to the SQL Injection section. They recommend using addcslashes instead of mysql_real_escape_string to also escape the percent sign (%).

To solve your current problem: you are using the INSERT query wrong. SET is used in an UPDATE query. Your INSERT query should look like this:

PHP Code:


$query = "INSERT INTO page (title, slug, breadcrumb, keywords, desc, content, parent_id, position) 
          VALUES ('$title', '$slug', '$breadcrumb', '$keywords', '$desc', '$content', '$parent_id', '$position')

**crmalibu** · Feb 15, 2009 10:35

desc is a reserved word in mysql
http://dev.mysql.com/doc/refman/5.1/...ved-words.html

either use backticks `desc` or just do the right thing and change the name to description or something else.

Btw, use prepared statements and you don't have to mess with escaping values used in sql querys anymore. You would do yourself some good to familiarize yourself with PDO

**JREAM** · Feb 15, 2009 17:56

cool thanks oyu guys i just woke up lol..

I am trying to take this is one crumb at a time this will get very complex if i dont go slow haha

User Tag List

Thread: html special chars, or magic gpc quotes

Thread Tools

Display

html special chars, or magic gpc quotes

Bookmarks

Bookmarks

Posting Permissions