• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

SQL error when I enter the apostrophe '

pk698

Active member
#1
I have a php script that someone coded for me. but it's giving me a mysql error when I enter the apostrophe '. Any idea what's going on?
 

pk698

Active member
#3
Code:
<?php include("includes/setup.php");
$module = 'add-to-list.php';
$authorizedUsers = "1,2";
$restrictGoTo = "login.php";
include("includes/access.php");
$fi=$_GET['fi'];
if(isset($_POST['submitform']))
{
$error =false;
if($_POST['post_desc'] == "" or $_POST['post_desc']=='<br />')
{
$message->add($module, 'post description can not be empty');
$error = true;
}
if($error === false)
{ //close if want to use html tag
//if($_SESSION['user']['privilege_id']<> '2')
//{
//$ins_post_desc = sanitize_string($_POST['post_desc']);
//}
//else
//{
$ins_post_desc = $_POST['post_desc'];
//}
$query_insert = mysql_query("insert into post(forum_id,post_desc,user_post_create,ip_user_post,post_date_created) values('".$_POST['fi']."','".$ins_post_desc."','".$_SESSION['user']['user_id']."','".$_SERVER['REMOTE_ADDR']."',now())") or die(mysql_error());
die(header("location:index.php?fi=".$_POST['fi']."&msg=succes post&status=success"));
}
$fi=$_POST['fi'];
}
else
{
if($_GET['fi'] =="")
{
die(header("location:index.php?msg=this list can not be found&status=error"));
}
else
{
if($forum_class->display_forum($_GET['fi'],'forum_id') == "")
{
die(header("location:index.php?msg=this list can not be found&status=error"));
}
$admin_only = $forum_class->display_forum($_GET['fi'],'admin_only');
if($admin_only == 1 and $_SESSION['user']['privilege_id'] <> '2')
{
die(header("location:index.php?msg=only admin can post to this channel&status=error"));
}
}
}
$forum_title = $forum_class->display_forum($_GET['fi'],'forum_title');
include "includes/template/header.php";
include 'includes/message_stack.php';
?>
<!--
<script src="includes/ext/mootool/moo.js" type="text/javascript"></script>
<script>

var Countable = new Class({

initialize: function(inputId, max, className, errorClass) {

this.input = $(inputId);
this.max = max;
this.className = className ? className : "count";
this.errorClass = errorClass ? errorClass : "error";

this.handle = new Element("div", {'class': this.className});
this.handle.setHTML('&nbsp;').injectBefore(this.input);
this.input.addEvent('keydown', this.onKeyPress.bindWithEvent(this));
this.input.addEvent('keyup', this.onKeyPress.bindWithEvent(this));
this.update();

},

onKeyPress: function(event) {
event = new Event(event);
if(!event.shift && !event.control && !event.alt && !event.meta) this.update();
},

update: function() {

if (this.input.value.length > this.max)
this.input.value = this.input.value.substring(0, this.max);

var count = this.max - this.input.value.length;

if (count == 0) {
var string = "<span class=\""+this.errorClass+"\"></span>";
} else if (count == 1) {
var string = "1 ";
} else {
var string = count + " ";
}
this.handle.setHTML(string);
}

});
 
window.addEvent('domready',function(){
new Countable("post_desc",340);

});

</script>
-->
<form name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<table width="100%" align="center" cellpadding="7" cellspacing="0" style="border: 1px solid #cccccc">
<tr valign="top" bgcolor="<?php echo $bg_style; ?>" style="color:<?php echo $font_style;?>">
<td colspan="2"> <div align="center"><font color="<?php echo $font_style;?>" class="header"  face="Verdana, Arial, Helvetica, sans-serif"><strong>add new list to <font class="header" size="2"><?php echo $forum_title; ?></font></strong></font></div></td>
</tr>
<tr valign="top" bgcolor="#FFFFFF">
<td width="21%">&nbsp;</td>

<td width="79%">
<?php
$spaw1 = new SpawEditor("post_desc");
$spaw1->show();
?>
<!--
<textarea name="post_desc" id="post_desc" cols="60" rows="8"></textarea>-->
</td>
</tr>
<tr valign="top" bgcolor="#FFFFFF">
<td>&nbsp;</td>
<input type="hidden" name="fi" value="<?php echo $fi; ?>">
<input type="hidden" name="submitform" value="submitform">
<td><input type="submit" name="Submit2" value="submit"></td>
</tr>
<tr valign="top" bgcolor="#FFFFFF">
<td> <div align="right"></div></td>

<td><font size="2">&nbsp; </font></td>
</tr>
</table>
</form>
<?php
include "includes/template/footer.php";
?>
 

pk698

Active member
#4
And the post page....

Code:
<?php include("includes/setup.php");
$module = 'post.php';
$authorizedUsers = "1,2";
$restrictGoTo = "login.php";
include("includes/access.php");
if(isset($_POST['submitform']))
{
$error =false;
if($_POST['forum_title'] == "" or $_POST['forum_title']=='<br />')
{
$message->add($module, 'post title can not be empty');
$error = true;
}
if($_POST['meta_keywords'] == "" or $_POST['meta_keywords']=='<br />')
{
$message->add($module, 'deta keywords can not be empty');
$error = true;
}
if($_POST['meta_desc'] == "" or $_POST['meta_desc']=='<br />')
{
$message->add($module, 'meta description can not be empty');
$error = true;
}
if(check_forum_title($_POST['forum_title']))
{
$message->add($module, 'that list already exist. you cannot make a duplicate list. click <a href=index.php?fi='.check_forum_title($_POST['forum_title']).'>here</a> to go to that list');
$error = true;
}
if($error === false)
{
$query_insert = mysql_query("insert into forum(forum_title,forum_desc,meta_keywords,meta_desc,dc_title,forum_front_page,ip_user_forum,forum_date_created,user_create_forum,admin_only) values('".$_POST['forum_title']."','".$_POST['forum_desc']."','".$_POST['meta_keywords']."','".$_POST['meta_desc']."','".$_POST['dc_title']."','".$_POST['forum_front_page']."','".$_SERVER['REMOTE_ADDR']."',now(),'".$_SESSION['user']['user_id']."','".$_POST['admin_only']."')") or die(mysql_error());
$forum_id_new = mysql_insert_id();
if($_POST['forum_front_page'] == 1)
{
db_query("delete from front_page");
db_query("insert into front_page(forum_id,date_created) values('$forum_id_new',now())");
}
die(header("location:post.php?msg=post success&status=success"));
}

}
include "includes/template/header.php";
include 'includes/message_stack.php';
?><form name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<table width="100%" align="center" cellpadding="7" cellspacing="0" style="border: 1px solid #cccccc">
<tr valign="top" bgcolor="<?php echo $bg_style; ?>">
<td colspan="2"> <div align="center"><strong><font color="<?php echo $font_style;?>" face="Verdana, Arial, Helvetica, sans-serif">add a new channel</font></strong></div></td>
</tr>
<tr valign="top" bgcolor="#FFFFFF">
<td width="21%"> <div align="right"><font color="#000000" size="2"><strong><font face="Verdana, Arial, Helvetica, sans-serif">channel name</font>:</strong></font></div></td>

<td width="79%"><font size="2">
<input name="forum_title" type="text" id="forum_title" size="65" maxlength="100">
</font></td>
</tr>
<tr valign="top" bgcolor="#FFFFFF">
<td> <div align="right"><font color="#000000" size="2"><strong><font face="Verdana, Arial, Helvetica, sans-serif">
detail</font>:</strong></font></div></td>
<td><font color="#990000" size="2">
<?php
$spaw1 = new SpawEditor("forum_desc");
$spaw1->show();
?>

</font></td>
</tr>
<tr valign="top" bgcolor="#FFFFFF">
<td colspan="2"><font class="header" color="#990000"><strong><font color="#009900">META
<font  size="2" face="Verdana, Arial, Helvetica, sans-serif">tags</font></font><font class="header" size="2" face="Verdana, Arial, Helvetica, sans-serif">
<font color="#000000">(careful now, this <font color="#FF00FF">cannot</font>
be changed)</font></font></strong></font></td>
</tr>
<tr valign="top" bgcolor="#FFFFFF">
<td><div align="right"><font size="2"><strong>keywords (tags):</strong></font></div></td>

<td><input name="meta_keywords" type="text" id="meta_keywords" size="65" maxlength="100"></td>
</tr>
<tr valign="top" bgcolor="#FFFFFF">
<td><div align="right"><font size="2"><strong>channel descripti<font face="Verdana, Arial, Helvetica, sans-serif">on:</font></strong></font></div></td>
<td><input name="meta_desc" type="text" id="meta_desc" size="65" maxlength="100"></td>
</tr>
<tr valign="top" bgcolor="#FFFFFF">
<td><div align="right"><font size="2"><strong>page .t<font face="Verdana, Arial, Helvetica, sans-serif">itle:</font></strong></font></div></td>

<td><input name="dc_title" type="text" id="dc_title" size="65" maxlength="100"></td>
</tr>
<?php
if($_SESSION['user']['privilege_id'] == '2')//if admin
{
?>
<tr valign="top" bgcolor="#FFFFFF">
<td>&nbsp;</td>
<td><input name="forum_front_page" type="checkbox" id="forum_front_page" value="1">
<strong><font color="#FF00FF">show on front page</font></strong></td>
</tr>
<tr valign="top" bgcolor="#FFFFFF">
<td>&nbsp;</td>
<td><input name="admin_only" type="checkbox" id="forum_front_page" value="1"><strong><font color="#FF00FF">             <strong>admin               only forum (only admin can post in this forum)</strong></font></strong></td>
<?php
}
?>

</tr>
<tr valign="top" bgcolor="#FFFFFF">
<td>&nbsp;</td>
<input type="hidden" name="submitform" value="submitform">
<td><input type="submit" name="Submit2" value="submit"></td>
</tr>
<tr valign="top" bgcolor="#FFFFFF">
<td> <div align="right"></div></td>
<td><font size="2">&nbsp; </font></td>
</tr>
</table>
</form>
<?php
include "includes/template/footer.php";
?>
 

mlx

Well-known member
#13
Replacing
Code:
$query_insert = mysql_query("insert into forum(forum_title,forum_desc,meta_keywords,meta_desc,dc_title,forum_front_page,ip_user_forum,forum_date_created,user_create_forum,admin_only) values('".$_POST['forum_title']."','".$_POST['forum_desc']."','".$_POST['meta_keywords']."','".$_POST['meta_desc']."','".$_POST['dc_title']."','".$_POST['forum_front_page']."','".$_SERVER['REMOTE_ADDR']."',now(),'".$_SESSION['user']['user_id']."','".$_POST['admin_only']."')") or die(mysql_error());
with
Code:
$query_insert = mysql_query("insert into forum(forum_title,forum_desc,meta_keywords,meta_desc,dc_title,forum_front_page,ip_user_forum,forum_date_created,user_create_forum,admin_only) values('".mysql_real_escape_string($_POST['forum_title'])."', '".mysql_real_escape_string($_POST['forum_desc'])."', '".mysql_real_escape_string($_POST['meta_keywords'])."', '".mysql_real_escape_string($_POST['meta_desc'])."', '".mysql_real_escape_string($_POST['dc_title'])."', '".mysql_real_escape_string($_POST['forum_front_page'])."', '".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."', now(), '".mysql_real_escape_string($_SESSION['user']['user_id'])."', '".mysql_real_escape_string($_POST['admin_only'])."')") or die(mysql_error());
should at least fix the SQL injection vulnerability. Didn't really check if there are other issues with the code though.