error when I use ' in a text box

Beginners - Learning PHP
#1

Getting this error in my script
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's incredible attention to detail, which will now serve as the new benchmark for ’
I’m entering text into a text box and when I use ’ in the text I get this error. example it’s will cause the error.
Here is the script
[php]<?
require_once(“conn.php”);
require_once(“includes.php”);
require_once(“access.php”);
if(isset($_POST[s1]))
{
if($_POST[content_type] == “cheat”)
{
$ItemID = $_POST[item_id_1];
$ContentTitle = strip_trim($_POST[cheat_title]);
$ContentText = strip_trim($_POST[cheat_text]);
}
else
{
$ItemID = $_POST[item_id_2];
$ContentTitle = strip_trim($_POST[review_title]);
$ContentText = strip_trim($_POST[review_text]);
$rating = $_POST[rating];
}
$q1 = "insert into games_content set
ContentType = ‘$_POST[content_type]’,
ItemID = ‘$ItemID’,
ContentTitle = ‘$ContentTitle’,
ContentText = ‘$ContentText’,
rating = ‘$rating’,
date_added = ‘$t’,
user_id = ‘$_SESSION[MemberID]’ ";
mysql_query($q1) or die(mysql_error());
$last = mysql_insert_id();
header(“location:view.php?cmd=$_POST[content_type]&id=$last&content_id=$ItemID”);
exit();
}

if($_POST[content_type] == “cheat” || empty($_POST[content_type]))
{
$checked1 = “checked”;
}
elseif($_POST[content_type] == “review”)
{
$checked2 = “checked”;
}
require_once(“templates/HeaderTemplate.php”);
require_once(“templates/AddReviewTemplate.php”);
require_once(“templates/FooterTemplate.php”);
?>[/php]
thanks in advance

#2

You need to escape special characters from any string value before using it in your SQL query. For escaping apostrophe it is enough to use addslashes(). But to escape all the special characters what user may enter you need to use mysql_real_escape_string().

For your code:
[php]
$q1 = “insert into games_content set
ContentType = '”.mysql_real_escape_string($_POST[content_type])."’,
ItemID = ‘".mysql_real_escape_string($ItemID)."’,
ContentTitle = ‘".mysql_real_escape_string($ContentTitle)."’,
ContentText = ‘".mysql_real_escape_string($ContentText)."’,
rating = ‘".mysql_real_escape_string($rating)."’,
date_added = ‘".mysql_real_escape_string($t)."’,
user_id = ‘".mysql_real_escape_string($_SESSION[MemberID])."’ ";
[/php]

#3

Thanks that worked but how do I get it too keep the line breaks aswell.

Thanks again.

#4

How would I do this for this?

I tried applying the same thing for this code. the difference from this code and the previous on is this is the admin editing the review and updating the database.

[php]
require_once(“AdminNavigation.php”);
if(isset($_POST[s1]))
{
$q1 = "update games_content set
ItemID = ‘$_POST[item_id_1]’,
ContentTitle = ‘$_POST[review_title]’,
ContentText = ‘$_POST[review_text]’,
rating = ‘$_POST[rating]’
where ContentID = ‘$_GET[ContentID]’ ";
mysql_query($q1);
if(!mysql_error())
{
$message1 = “
This review has been updated!”;
$message2 = “<a href=“list_content.php?cmd=review&ItemID=$_GET[ItemID]” class=BlackLink>Back to reviews”;
}
}
//get the review info
$q1 = "select * from games_content where ContentID = ‘$_GET[ContentID]’ ";
$r1 = mysql_query($q1) or die(mysql_error());
$a1 = mysql_fetch_array($r1);
?>


Edit this review<?=$message1?>
Game: <?=select_item($a1[ItemID], "item_id_1");?>
Review Title:
Add Gossip here: <?=$a1[ContentText]?>
Rate game: <?=select_rating($a1[rating]);?>
<?=$message2?>
<? require_once("admin_footer.php"); ?>

[/php]

thanks

#5

Figured it out.

Sponsor our Newsletter | Privacy Policy | Terms of Service