1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

SQL error when I enter the apostrophe '

Discussion in 'Off Topic' started by pk698, Aug 17, 2010.

  1. pk698

    pk698 Active Member

    I have a php script that someone coded for me. but it's giving me a mysql error when I enter the apostrophe '. Any idea what's going on?
     
  2. Lucas

    Lucas Well-Known Member

    If you gives us the complete query/code we might be able to help you better. :)
     
  3. pk698

    pk698 Active Member

    Code:
    
    <?php include("includes/setup.php");
    $module = 'add-to-list.php';
    $authorizedUsers = "1,2";
    $restrictGoTo = "login.php";
    include("includes/access.php");
    $fi=$_GET['fi'];
    if(isset($_POST['submitform']))
    {
    $error =false;
    if($_POST['post_desc'] == "" or $_POST['post_desc']=='<br />')
    {
    $message->add($module, 'post description can not be empty');
    $error = true;
    }
    if($error === false)
    { //close if want to use html tag
    //if($_SESSION['user']['privilege_id']<> '2')
    //{
    //$ins_post_desc = sanitize_string($_POST['post_desc']);
    //}
    //else
    //{
    $ins_post_desc = $_POST['post_desc'];
    //}
    $query_insert = mysql_query("insert into post(forum_id,post_desc,user_post_create,ip_user_post,post_date_created) values('".$_POST['fi']."','".$ins_post_desc."','".$_SESSION['user']['user_id']."','".$_SERVER['REMOTE_ADDR']."',now())") or die(mysql_error());
    die(header("location:index.php?fi=".$_POST['fi']."&msg=succes post&status=success"));
    }
    $fi=$_POST['fi'];
    }
    else
    {
    if($_GET['fi'] =="")
    {
    die(header("location:index.php?msg=this list can not be found&status=error"));
    }
    else
    {
    if($forum_class->display_forum($_GET['fi'],'forum_id') == "")
    {
    die(header("location:index.php?msg=this list can not be found&status=error"));
    }
    $admin_only = $forum_class->display_forum($_GET['fi'],'admin_only');
    if($admin_only == 1 and $_SESSION['user']['privilege_id'] <> '2')
    {
    die(header("location:index.php?msg=only admin can post to this channel&status=error"));
    }
    }
    }
    $forum_title = $forum_class->display_forum($_GET['fi'],'forum_title');
    include "includes/template/header.php";
    include 'includes/message_stack.php';
    ?>
    <!--
    <script src="includes/ext/mootool/moo.js" type="text/javascript"></script>
    <script>
    
    var Countable = new Class({
    
    initialize: function(inputId, max, className, errorClass) {
    
    this.input = $(inputId);
    this.max = max;
    this.className = className ? className : "count";
    this.errorClass = errorClass ? errorClass : "error";
    
    this.handle = new Element("div", {'class': this.className});
    this.handle.setHTML('&nbsp;').injectBefore(this.input);
    this.input.addEvent('keydown', this.onKeyPress.bindWithEvent(this));
    this.input.addEvent('keyup', this.onKeyPress.bindWithEvent(this));
    this.update();
    
    },
    
    onKeyPress: function(event) {
    event = new Event(event);
    if(!event.shift && !event.control && !event.alt && !event.meta) this.update();
    },
    
    update: function() {
    
    if (this.input.value.length > this.max)
    this.input.value = this.input.value.substring(0, this.max);
    
    var count = this.max - this.input.value.length;
    
    if (count == 0) {
    var string = "<span class=\""+this.errorClass+"\"></span>";
    } else if (count == 1) {
    var string = "1 ";
    } else {
    var string = count + " ";
    }
    this.handle.setHTML(string);
    }
    
    });
     
    window.addEvent('domready',function(){
    new Countable("post_desc",340);
    
    });
    
    </script>
    -->
    <form name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
    <table width="100%" align="center" cellpadding="7" cellspacing="0" style="border: 1px solid #cccccc">
    <tr valign="top" bgcolor="<?php echo $bg_style; ?>" style="color:<?php echo $font_style;?>">
    <td colspan="2"> <div align="center"><font color="<?php echo $font_style;?>" class="header"  face="Verdana, Arial, Helvetica, sans-serif"><strong>add new list to <font class="header" size="2"><?php echo $forum_title; ?></font></strong></font></div></td>
    </tr>
    <tr valign="top" bgcolor="#FFFFFF">
    <td width="21%">&nbsp;</td>
    
    <td width="79%">
    <?php
    $spaw1 = new SpawEditor("post_desc");
    $spaw1->show();
    ?>
    <!--
    <textarea name="post_desc" id="post_desc" cols="60" rows="8"></textarea>-->
    </td>
    </tr>
    <tr valign="top" bgcolor="#FFFFFF">
    <td>&nbsp;</td>
    <input type="hidden" name="fi" value="<?php echo $fi; ?>">
    <input type="hidden" name="submitform" value="submitform">
    <td><input type="submit" name="Submit2" value="submit"></td>
    </tr>
    <tr valign="top" bgcolor="#FFFFFF">
    <td> <div align="right"></div></td>
    
    <td><font size="2">&nbsp; </font></td>
    </tr>
    </table>
    </form>
    <?php
    include "includes/template/footer.php";
    ?>
    
     
  4. pk698

    pk698 Active Member

    And the post page....

    Code:
    <?php include("includes/setup.php");
    $module = 'post.php';
    $authorizedUsers = "1,2";
    $restrictGoTo = "login.php";
    include("includes/access.php");
    if(isset($_POST['submitform']))
    {
    $error =false;
    if($_POST['forum_title'] == "" or $_POST['forum_title']=='<br />')
    {
    $message->add($module, 'post title can not be empty');
    $error = true;
    }
    if($_POST['meta_keywords'] == "" or $_POST['meta_keywords']=='<br />')
    {
    $message->add($module, 'deta keywords can not be empty');
    $error = true;
    }
    if($_POST['meta_desc'] == "" or $_POST['meta_desc']=='<br />')
    {
    $message->add($module, 'meta description can not be empty');
    $error = true;
    }
    if(check_forum_title($_POST['forum_title']))
    {
    $message->add($module, 'that list already exist. you cannot make a duplicate list. click <a href=index.php?fi='.check_forum_title($_POST['forum_title']).'>here</a> to go to that list');
    $error = true;
    }
    if($error === false)
    {
    $query_insert = mysql_query("insert into forum(forum_title,forum_desc,meta_keywords,meta_desc,dc_title,forum_front_page,ip_user_forum,forum_date_created,user_create_forum,admin_only) values('".$_POST['forum_title']."','".$_POST['forum_desc']."','".$_POST['meta_keywords']."','".$_POST['meta_desc']."','".$_POST['dc_title']."','".$_POST['forum_front_page']."','".$_SERVER['REMOTE_ADDR']."',now(),'".$_SESSION['user']['user_id']."','".$_POST['admin_only']."')") or die(mysql_error());
    $forum_id_new = mysql_insert_id();
    if($_POST['forum_front_page'] == 1)
    {
    db_query("delete from front_page");
    db_query("insert into front_page(forum_id,date_created) values('$forum_id_new',now())");
    }
    die(header("location:post.php?msg=post success&status=success"));
    }
    
    }
    include "includes/template/header.php";
    include 'includes/message_stack.php';
    ?><form name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
    <table width="100%" align="center" cellpadding="7" cellspacing="0" style="border: 1px solid #cccccc">
    <tr valign="top" bgcolor="<?php echo $bg_style; ?>">
    <td colspan="2"> <div align="center"><strong><font color="<?php echo $font_style;?>" face="Verdana, Arial, Helvetica, sans-serif">add a new channel</font></strong></div></td>
    </tr>
    <tr valign="top" bgcolor="#FFFFFF">
    <td width="21%"> <div align="right"><font color="#000000" size="2"><strong><font face="Verdana, Arial, Helvetica, sans-serif">channel name</font>:</strong></font></div></td>
    
    <td width="79%"><font size="2">
    <input name="forum_title" type="text" id="forum_title" size="65" maxlength="100">
    </font></td>
    </tr>
    <tr valign="top" bgcolor="#FFFFFF">
    <td> <div align="right"><font color="#000000" size="2"><strong><font face="Verdana, Arial, Helvetica, sans-serif">
    detail</font>:</strong></font></div></td>
    <td><font color="#990000" size="2">
    <?php
    $spaw1 = new SpawEditor("forum_desc");
    $spaw1->show();
    ?>
    
    </font></td>
    </tr>
    <tr valign="top" bgcolor="#FFFFFF">
    <td colspan="2"><font class="header" color="#990000"><strong><font color="#009900">META
    <font  size="2" face="Verdana, Arial, Helvetica, sans-serif">tags</font></font><font class="header" size="2" face="Verdana, Arial, Helvetica, sans-serif">
    <font color="#000000">(careful now, this <font color="#FF00FF">cannot</font>
    be changed)</font></font></strong></font></td>
    </tr>
    <tr valign="top" bgcolor="#FFFFFF">
    <td><div align="right"><font size="2"><strong>keywords (tags):</strong></font></div></td>
    
    <td><input name="meta_keywords" type="text" id="meta_keywords" size="65" maxlength="100"></td>
    </tr>
    <tr valign="top" bgcolor="#FFFFFF">
    <td><div align="right"><font size="2"><strong>channel descripti<font face="Verdana, Arial, Helvetica, sans-serif">on:</font></strong></font></div></td>
    <td><input name="meta_desc" type="text" id="meta_desc" size="65" maxlength="100"></td>
    </tr>
    <tr valign="top" bgcolor="#FFFFFF">
    <td><div align="right"><font size="2"><strong>page .t<font face="Verdana, Arial, Helvetica, sans-serif">itle:</font></strong></font></div></td>
    
    <td><input name="dc_title" type="text" id="dc_title" size="65" maxlength="100"></td>
    </tr>
    <?php
    if($_SESSION['user']['privilege_id'] == '2')//if admin
    {
    ?>
    <tr valign="top" bgcolor="#FFFFFF">
    <td>&nbsp;</td>
    <td><input name="forum_front_page" type="checkbox" id="forum_front_page" value="1">
    <strong><font color="#FF00FF">show on front page</font></strong></td>
    </tr>
    <tr valign="top" bgcolor="#FFFFFF">
    <td>&nbsp;</td>
    <td><input name="admin_only" type="checkbox" id="forum_front_page" value="1"><strong><font color="#FF00FF">             <strong>admin               only forum (only admin can post in this forum)</strong></font></strong></td>
    <?php
    }
    ?>
    
    </tr>
    <tr valign="top" bgcolor="#FFFFFF">
    <td>&nbsp;</td>
    <input type="hidden" name="submitform" value="submitform">
    <td><input type="submit" name="Submit2" value="submit"></td>
    </tr>
    <tr valign="top" bgcolor="#FFFFFF">
    <td> <div align="right"></div></td>
    <td><font size="2">&nbsp; </font></td>
    </tr>
    </table>
    </form>
    <?php
    include "includes/template/footer.php";
    ?>
    
    
     
  5. Shamil

    Shamil Well-Known Member

    Can you use [code][/code] tags please? which line of which script does it fail?
     
  6. Brandon_R

    Brandon_R Guest

    You might want to escape your input.
     
  7. Shamil

    Shamil Well-Known Member

    Using mysql_real_escape_string();

    Read this for more details.
     
  8. pk698

    pk698 Active Member

    Not sure which line(s).
     
  9. Shamil

    Shamil Well-Known Member

    Any piece of code up there, i.e the whole lot.
     
  10. Brandon_R

    Brandon_R Guest

    Basically look for all the $_GET variables and put that in the function at the top.
     
  11. Shamil

    Shamil Well-Known Member

    Anything outputted from the database might want this done to it first:
    stripslashes();
     
  12. pk698

    pk698 Active Member

    Thanks, will check that out.
     
  13. mlx

    mlx Well-Known Member

    Replacing
    Code:
    $query_insert = mysql_query("insert into forum(forum_title,forum_desc,meta_keywords,meta_desc,dc_title,forum_front_page,ip_user_forum,forum_date_created,user_create_forum,admin_only) values('".$_POST['forum_title']."','".$_POST['forum_desc']."','".$_POST['meta_keywords']."','".$_POST['meta_desc']."','".$_POST['dc_title']."','".$_POST['forum_front_page']."','".$_SERVER['REMOTE_ADDR']."',now(),'".$_SESSION['user']['user_id']."','".$_POST['admin_only']."')") or die(mysql_error());
    
    with
    Code:
    $query_insert = mysql_query("insert into forum(forum_title,forum_desc,meta_keywords,meta_desc,dc_title,forum_front_page,ip_user_forum,forum_date_created,user_create_forum,admin_only) values('".mysql_real_escape_string($_POST['forum_title'])."', '".mysql_real_escape_string($_POST['forum_desc'])."', '".mysql_real_escape_string($_POST['meta_keywords'])."', '".mysql_real_escape_string($_POST['meta_desc'])."', '".mysql_real_escape_string($_POST['dc_title'])."', '".mysql_real_escape_string($_POST['forum_front_page'])."', '".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."', now(), '".mysql_real_escape_string($_SESSION['user']['user_id'])."', '".mysql_real_escape_string($_POST['admin_only'])."')") or die(mysql_error());
    
    should at least fix the SQL injection vulnerability. Didn't really check if there are other issues with the code though.
     

Share This Page