stripslashes was working just fine till the server upgraded from PHP 5.2 to 5.4. When I add an apostrophe in the field named “Salary” so for an example O’Brien, this is the message sent back to the browser:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘s’, ‘]’)’ at line 3

Here is my PHP below. I’m completely stumped. I hope somebody can help.

The first script is the input page and the 2nd script is the output where I get the error message

//start a session

//validate user to see if they are allowed to be here
if ($_SESSION[valid] != "yes") {
	header("Location: http://www.localhost/orion/contact_menu.php");

<title>Yacht Job Orders Management System</title>
<h1>Yacht Job Orders Management System</h1>
<h2><em>Add a Yacht</em></h2>
<form method="post" action="do_addcontact4.php">
<table cellspacing=3 cellpadding=3>
<td valign=top>

<table cellspacing=3 cellpadding=5 id="table1">
<td valign=top>
<strong>Position Needed:</strong><br>
<input type="text" name="position" size=35 maxlength=50>
<input type="text" name="salary" size=35 maxlength=10></p>

<p><strong>Start Date:</strong><br>
<input type="text" name="startdate" size=35 maxlength=10><br>
<i><font size="2">The above field must be filled out <br>in the following format: YYYY-MM-DD</br></font></i></p>


And here’s the 2nd script where there is echo stripslashes:

$db_name = “database”;
$table_name = “new_joborders”;
$connection = @mysql_connect(“localhost”, “database”, “password”)

or die(mysql_error());

$db = @mysql_select_db($db_name, $connection) or die(mysql_error());
$sql = “INSERT INTO $table_name
(id, position, salary, startdate) VALUES
(’’, ‘$_POST[position]’, ‘$_POST[salary]’, ‘$_POST[startdate]]’)”;
$result = @mysql_query($sql,$connection) or die(mysql_error());

Yacht Job Orders Management System: Contact Added

Yacht Job Orders Management System

Add a Contact - Yacht Added

The following information was successfully added to database

Position Needed:
<? echo stripslashes($_POST[position]); ?> Salary:
<? echo "$_POST[salary]"; ?>

Start Date:
<? echo "$_POST[startdate]"; ?>




Are you aware 5.4 is 6 years old? I’d highly recommend updating to a newer PHP version.

Short tags are no longer supported (shorthand echoes still work)

[php] $connection = @mysql_connect(“localhost”, “database”, “password”)[/php]
Ignoring (silenting with @) errors is very bad practice. The mysql_* functions have been removed from newer PHP versions. It was replaced by PDO and Mysqli 12-13 years ago. They both offer a real way to avoid sql injections hacks with prepared and parameterized queries. No more escaping strings! You should definitely change!

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's', ']')' at line 3

This will no longer be an issue if you use prepared/parameterized queries as your queries will no longer be a jumbled mess of quotes.


Your code is vulnerable to sql injection and xss hacks. I’d highly advise doing some work with this as I assume it’s a live site/system.


So are you saying I should use <?php instead of just <?

Also, should I have my sql connection in an includes directory? Thanks so much for your help. Also, I still don’t understand why a simple striplashes funchion in my echo statement doesn’t escape the apostrophe as it did before in this simple code below

[code]Position Needed:

<? echo stripslashes($_POST[position]); ?>/code][/code]


strip slashes shouldn’t be used anyway. Parameterized statements are what you want to use. stripslashes does what it says as well, it removes the slash not add them.


[code]I’ll certainly read up on it, but is there any way you can give me an example implementing my script?

); ?></p>


[url]htmlentities()[/url] is what you want when printing user provided data.