...

View Full Version : I need help with apostrophes.



jsalansing
02-27-2010, 12:41 AM
Hello everyone, I really need some help here, I have been trying to figure out my problems with apostrophes now for about a week, and I am to the point I need to ask for help. I have done a TON of reading and it seems the more I read the more confused I get.

I have an event calendar that I am trying to use to let people post their upcoming poker events, the problem I am having is when creating a category like Joe's Poker Shack I get the following error code:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Poker Shack'' at line 2

Here is the code I have been trying to work with and not sure what to add to it. Also magic_quotes_gpc are off.


<?
require("../common.php");

// check the input
// blank title
if ($Returned == 1 AND !$Name) {
commonHeader("Administration");
echo "<center><font color=\"red\"><b>You did not specify a TITLE OR NAME. Please complete the form below.</b></font></center><p>";

// the user data passed, let's continue
} elseif ($Returned == 1) {
// check for duplicate
$result = mysql("$DBName","SELECT COUNT(*) FROM phpCalendar_Locations WHERE
Name = '$Name'") or die(mysql_error());
while ($row = mysql_fetch_row($result)) {
$Locations = $row[0];
}

if ($Locations > 0) {
commonHeader("Administration");
echo "<center><font color=\"red\"><b>That CATEGORY NAME ALREADY EXISTS. Please complete the form below.</b></font></center><p>";
} else {
mysql("$DBName","INSERT INTO phpCalendar_Locations VALUES(
'$Name','','$WebAlias','$LocationID')") or die(mysql_error());

Header("Location: ./");
exit;
}

// we haven't returned, so do everything else
} else {
commonHeader("Administration");
}

?>

<b>Adding a category...</b><p>

<form action="<? echo $PHP_SELF; ?>" method="post">

<center>
<table width ="100%" border="0" bgcolor="#FFFFFF">

<tr>
<td valign="top"><b>Category name or title:</b><br>
<input type="text" size="30" name="Name" value="<? echo $Name; ?>">
</td>
<td valign="top"><b>Web alias:</b><br>
<input type="text" size="30" name="WebAlias" value="<? echo $WebAlias; ?>">
</td>
</tr>

<tr>
<td colspan="2">
<center>
<input type="hidden" name="Returned" value="1">
<input type="submit" value="Add Category >>"></form>
</td></tr>


</table>
</center>

<?
commonFooter();
?>



Thanks for any input.

Joe...

zulugrid
02-27-2010, 12:50 AM
You need to escape strings before using them in a query. For example, something like this:



$result = mysql("$DBName","SELECT COUNT(*) FROM phpCalendar_Locations WHERE
Name = '" . mysql_escape_string($Name) . "'") or die(mysql_error());

abduraooft
02-27-2010, 09:10 AM
mysql_escape_string() is deprecated and will be remove from php-6. Use mysql_real_escape_string() (http://php.net/mysql_real_escape_string) instead.

masterofollies
02-27-2010, 03:53 PM
Try to use single quotes as much as possible.

zulugrid
02-27-2010, 04:33 PM
mysql_escape_string() is deprecated and will be remove from php-6. Use mysql_real_escape_string() (http://php.net/mysql_real_escape_string) instead.

True. Using mysql_real_escape_string before a connection is open issues a warning though, so jsalansing should make sure his mysql() function opens the connection before escaping the strings using mysql_real_escape_string.

jsalansing
02-27-2010, 07:09 PM
Thank you for all the input. When I replace :


$result = mysql("$DBName","SELECT COUNT(*) FROM phpCalendar_Locations WHERE
Name = '$Name'") or die(mysql_error());

With:


$result = mysql("$DBName","SELECT COUNT(*) FROM phpCalendar_Locations WHERE
Name = '" . mysql_real_escape_string($Name) . "'") or die(mysql_error());

I still get an error code, but this time the error is:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Poker Shack','','Joe's Poker Shack','')' at line 2

This thing is driving me crazy.

Joe....

masterofollies
02-27-2010, 07:21 PM
Your name has a quote in it, such as Jack's Shop. I believe you need to add slashes to it by using addslashes($name);

abduraooft
02-28-2010, 12:12 PM
And is mysql() a custom function defined at your end?

MattF
02-28-2010, 12:36 PM
$result = mysql("$DBName","SELECT COUNT(*) FROM phpCalendar_Locations WHERE
Name = '" . mysql_real_escape_string($Name) . "'") or die(mysql_error());

I still get an error code, but this time the error is:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Poker Shack','','Joe's Poker Shack','')' at line 2

That error obviously isn't being generated by that query. Try working on the relevant query for the error message. This is the query which is generating that message:



mysql("$DBName","INSERT INTO phpCalendar_Locations VALUES(
'$Name','','$WebAlias','$LocationID')") or die(mysql_error());



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum