Error: Field Doesn't Like Apostrophes

PHP
1

I have a form field that works fine until you put apostrophe’s in it.

If you put an apostrophe in the field you get this error message:

There was an error! For
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to…



<?php
if(isset($_POST['new_list']))
{
   $list_name = $config->secure($_POST['list_name'],'text');
   $user_id =  $config->secure($_SESSION['id'],'text');
   $private =  $config->secure($_POST['private'],'text');
   
   $list = new lists;
   $addlist = $list->addlist($user_id,$list_name,$private);
}
?>

Thanks in advance if someone could take time to help me fix this.

Troy

2

It means the code (not shown) that puts the text into the database isn’t escaping it properly.

3

You need mysql_real_escape_string.
I run everything through it, see code below.


function sanitize_me($arr){
	foreach ($arr as $name => $value){
	   if(get_magic_quotes_gpc()) {
	   $value = stripslashes($value);
	   $name = stripslashes($name);
	   } else {}


	$name = mysql_real_escape_string($name);	
	$value = mysql_real_escape_string($value);
//echo '<pre>req'; print_r($_REQUEST); echo '</pre>';
	$arret[$name] = $value;
	}
return $arret; 
} 
if (!empty($_POST))   { $_POST =  sanitize_me($_POST);    } 
if (!empty($_GET))    { $_GET =  sanitize_me($_GET);      }
if (!empty($_COOKIE)) { $_COOKIE = sanitize_me($_COOKIE); }
4

Not a good practice if you’re doing anything other than inserting values into a database in code that includes this.

5 
<?php

class lists
{
   
   function addlist($user_id,$list_name,$public)
   {
      if(empty($user_id)||empty($list_name))
      {
         echo "<div id='error'>Please fill in the required values!</div>";
      }
      else
      {
         if($public=='true')
         {
            $private = 'true';
         }
         else
         {
            $private = 'false';
         }
         
         $result2 = mysql_query("SELECT * FROM lists WHERE user_id='$user_id' ORDER BY id desc LIMIT 1");
         
         $row2 = mysql_fetch_array($result2);
         
         $new = $row2['list_order']+1;
         
         $date = date('D/M/Y');
         $sql="INSERT INTO lists (id, user_id, list_name, date, public, list_order) VALUES ('NULL','$user_id','$list_name','$date','$private','$new')";     
         if(!mysql_query($sql))
         {
            echo "<div id='error'>There was an error! For </div>".mysql_error();
         }
         else
         {
            echo "<script type='text/javascript'>window.location='view.php?id=".mysql_insert_id()."';</script>";
         }
      }
   }
   
   function display($user_id)
   {
      if(empty($user_id))
      {
         echo "<div id='error'>Please fill in the user ID!</div>";
      }
      else
      {
         $result = mysql_query("SELECT * FROM lists WHERE user_id='$user_id' ORDER BY list_order asc");
         
         if(mysql_num_rows($result)<=0)
         {
            echo "You have no lists!";
         }
         else
         {
            echo "<h2 class='title2'>Your lists</h2>";
            
            echo "<ul id='lists'>";
         
         
            while($row = mysql_fetch_array($result))
            {
               $result2 = mysql_query("SELECT * FROM todos WHERE list_name='".$row['id']."' AND done='false'");
               $num = mysql_num_rows($result2);
               if($num>0)
               {
                  echo "<li id='listItem_".$row['id']."'><div class='handle2'><span><small>".$num." left</small></span><h3><a href='view.php?id=".$row['id']."'>".$row['list_name']."</a></h3></div></li>";
               }
            }
            echo "</ul>";
         }
      }
   }
   
   function display_complete($user_id)
   {
      if(empty($user_id))
      {
         echo "<div id='error'>Please fill in the user ID!</div>";
      }
      else
      {
         $result = mysql_query("SELECT * FROM lists WHERE user_id='$user_id' and draft='no'");
         
         while($row = mysql_fetch_array($result))
         {
            $result2 = mysql_query("SELECT * FROM todos WHERE list_name='".$row['id']."' and done='false'");
            $num = mysql_num_rows($result2);
            if($num<=0)
            {
               echo "<a href='view.php?id=".$row['id']."'>".$row['list_name']."</a> , ";
            }
         }
      }
   }
   
   function display_drafts($user_id)
   {
      if(empty($user_id))
      {
         echo "<div id='error'>Please fill in the user ID!</div>";
      }
      else
      {
         $result = mysql_query("SELECT * FROM lists WHERE user_id='$user_id' and draft='' ");
         
         while($row = mysql_fetch_array($result))
         {
               echo "<a href='view.php?id=".$row['id']."'>".$row['list_name']."</a> , ";
         }
      }
   }
   
   function share($email,$id)
   {
      if(empty($email))
      {
         echo "<div id='error'>Please fill in the email field!</div>";
      }
      else
      {
         $pattern = "^[_a-z0-9-]+(\\.[_a-z0-9-]+)*@[a-z0-9-]+(\\.[a-z0-9-]+)*(\\.[a-z]{2,3})$";
     
         if (!eregi($pattern, $email)){
            echo "<div id='error'>Please enter a valid email!</div>";
         }
         else
         {
            $to = $email;
            $subject = "Todo-Frog Invitation";
            $message = "Hello! /n I want to share a todo-list with you.    http://www.todofrog.com/lists/pubview.php?id=$id";
            $from = "admin@todofrog.com";
            $headers = "From: Todofrog";
            mail($to,$subject,$message,$headers);
            echo "Successfully sent!";
         }
      }
   }
   
   function add_todo($name,$list_id,$user_id)
   {
      if(empty($list_id)||empty($user_id)||empty($name))
      {
         echo "<div id='error'>Please fill in all of the values!</div>";
      }
      else
      {
         $result2 = mysql_query("SELECT * FROM todos WHERE list_name='$list_id' ORDER BY id desc LIMIT 1");
         
         $row2 = mysql_fetch_array($result2);
         
         $new = $row2['todo_order']+1;
         
         $sql="INSERT INTO todos (id, todo_name, user_id, list_name, todo_order, todo_about,done) VALUES ('NULL','$name','$user_id','$list_id','$new','You have not added an about for this todo yet!','false')";
         
         $sql2="UPDATE lists SET draft='no' where id = '$list_id'";
         
         if(!mysql_query($sql2))
         {
           die("ERROR!");
         }
         
         if(!mysql_query($sql))
         {
           die("Error!");
         }
      }
   }
   
   function edit_list($about,$name,$id,$user_id)
   {
      if(empty($about)||empty($name)||empty($id))
      {
         echo "<div id='error'>Please fill in the required values!</div>";
      }
      else
      {
         mysql_query("UPDATE todos SET todo_name = '$name', todo_about='$about' WHERE id = '$id' AND user_id = '$user_id'");
         echo "<div id='correct'>Successfully edited!</div>";
      }
   }      
   
   function display_todos($list_id,$user_id)
   {
      if(empty($list_id)||empty($user_id))
      {
         echo "<div id='error'>Please fill in the required values!</div>";
      }
      else
      {
         $result2 = mysql_query("SELECT * FROM todos WHERE list_name='$list_id' AND user_id='$user_id' ORDER BY todo_order asc");
         
         echo "<ul id='test-list'>";
         
         while($row2 = mysql_fetch_array($result2))
         {
               
       if(mysql_num_rows($result2)<=0)
         {
            echo "You have no lists!";
         }  
         else
         {
               echo "<a class='list_".$row['done']."' id='listItem_".$row2['id']."'><div class='handle'><span><a href='#' class='delete'>Delete</a> | <a href='edit.php?id=".$row2['id']."'>Edit</a> | <a href='viewtodo.php?id=".$row2['id']."'>View</a></span>".$row2['todo_name']."</div></li>";}
         }

      }
   }
         

}
?>
6

Hi Troy

I’m completely baffled by this…

but putting that to one side, htmlentities would do the job as well as a simple string replace. The advantage of this would be that the apostrophe is preserved in the database field and may save you the bother of having to decode the apostrophe in certain situations… although if you are trying to use the data to output valid XHTML you would need to encode the apostrophe for presentation anyway.


str_replace("'","''",$var);
7

You need to use mysql_real_escape_string on the values to escape certain characters and byte sequences before putting a string into a SQL query.

You should not use htmlentities. That is an output function, and storing HTML entities instead of the input as it was provided greatly limits what you can do with that database.

8

i bow to dan’s superior knowledge