Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    New to the CF scene
    Join Date
    Feb 2010
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts

    I need help with apostrophes.

    Hello everyone, I really need some help here, I have been trying to figure out my problems with apostrophes now for about a week, and I am to the point I need to ask for help. I have done a TON of reading and it seems the more I read the more confused I get.

    I have an event calendar that I am trying to use to let people post their upcoming poker events, the problem I am having is when creating a category like Joe's Poker Shack I get the following error code:

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Poker Shack'' at line 2

    Here is the code I have been trying to work with and not sure what to add to it. Also magic_quotes_gpc are off.

    Code:
    <?
    require("../common.php");
    
    	// check the input
    	// blank title
    	if ($Returned == 1 AND !$Name) {
    	commonHeader("Administration");
    	echo "<center><font color=\"red\"><b>You did not specify a TITLE OR NAME. Please complete the form below.</b></font></center><p>";
    
    	// the user data passed, let's continue
    	} elseif ($Returned == 1) {
    	// check for duplicate
    	$result = mysql("$DBName","SELECT COUNT(*) FROM phpCalendar_Locations WHERE
    	Name = '$Name'") or die(mysql_error());
    		while ($row = mysql_fetch_row($result)) {
    		$Locations = $row[0];
    		}
    
    		if ($Locations > 0) {
    		commonHeader("Administration");
    		echo "<center><font color=\"red\"><b>That CATEGORY NAME ALREADY EXISTS. Please complete the form below.</b></font></center><p>";
    		} else {
    		mysql("$DBName","INSERT INTO phpCalendar_Locations VALUES(
    		'$Name','','$WebAlias','$LocationID')") or die(mysql_error());
    
    		Header("Location: ./");
    		exit;
    		}
    
    	// we haven't returned, so do everything else
    	} else {
    	commonHeader("Administration");
    	}
    
    ?>
    
    <b>Adding a category...</b><p>
    
    <form action="<? echo $PHP_SELF; ?>" method="post">
    
    <center>
    <table width ="100%" border="0" bgcolor="#FFFFFF">
    
    <tr>
    <td valign="top"><b>Category name or title:</b><br>
    <input type="text" size="30" name="Name" value="<? echo $Name; ?>">
    </td>
    <td valign="top"><b>Web alias:</b><br>
    <input type="text" size="30" name="WebAlias" value="<? echo $WebAlias; ?>">
    </td>
    </tr>
    
    <tr>
    <td colspan="2">
    <center>
    <input type="hidden" name="Returned" value="1">
    <input type="submit" value="Add Category >>"></form>
    </td></tr>
    
    
    </table>
    </center>
    
    <?
    commonFooter();
    ?>

    Thanks for any input.

    Joe...

  • #2
    New to the CF scene
    Join Date
    Feb 2010
    Location
    Williamsburg, VA
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    You need to escape strings before using them in a query. For example, something like this:

    PHP Code:
    $result mysql("$DBName","SELECT COUNT(*) FROM phpCalendar_Locations WHERE
        Name = '" 
    mysql_escape_string($Name) . "'") or die(mysql_error()); 

  • #3
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,854
    Thanks
    160
    Thanked 2,223 Times in 2,210 Posts
    Blog Entries
    1
    mysql_escape_string() is deprecated and will be remove from php-6. Use mysql_real_escape_string() instead.
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)

  • #4
    Senior Coder
    Join Date
    May 2005
    Posts
    2,137
    Thanks
    96
    Thanked 72 Times in 72 Posts
    Try to use single quotes as much as possible.
    Rowsdower! has accused me of having mental problems, and the administrator allowed it. What a great forum huh?

  • #5
    New to the CF scene
    Join Date
    Feb 2010
    Location
    Williamsburg, VA
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by abduraooft View Post
    mysql_escape_string() is deprecated and will be remove from php-6. Use mysql_real_escape_string() instead.
    True. Using mysql_real_escape_string before a connection is open issues a warning though, so jsalansing should make sure his mysql() function opens the connection before escaping the strings using mysql_real_escape_string.

  • #6
    New to the CF scene
    Join Date
    Feb 2010
    Posts
    3
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thank you for all the input. When I replace :

    PHP Code:
    $result mysql("$DBName","SELECT COUNT(*) FROM phpCalendar_Locations WHERE
        Name = '$Name'"
    ) or die(mysql_error()); 
    With:

    PHP Code:
    $result mysql("$DBName","SELECT COUNT(*) FROM phpCalendar_Locations WHERE
        Name = '" 
    mysql_real_escape_string($Name) . "'") or die(mysql_error()); 
    I still get an error code, but this time the error is:

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Poker Shack','','Joe's Poker Shack','')' at line 2

    This thing is driving me crazy.

    Joe....

  • #7
    Senior Coder
    Join Date
    May 2005
    Posts
    2,137
    Thanks
    96
    Thanked 72 Times in 72 Posts
    Your name has a quote in it, such as Jack's Shop. I believe you need to add slashes to it by using addslashes($name);
    Rowsdower! has accused me of having mental problems, and the administrator allowed it. What a great forum huh?

  • #8
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,854
    Thanks
    160
    Thanked 2,223 Times in 2,210 Posts
    Blog Entries
    1
    And is mysql() a custom function defined at your end?
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)

  • #9
    Senior Coder
    Join Date
    Jul 2009
    Location
    South Yorkshire, England
    Posts
    2,318
    Thanks
    6
    Thanked 304 Times in 303 Posts
    Quote Originally Posted by jsalansing View Post
    PHP Code:
    $result mysql("$DBName","SELECT COUNT(*) FROM phpCalendar_Locations WHERE
        Name = '" 
    mysql_real_escape_string($Name) . "'") or die(mysql_error()); 
    I still get an error code, but this time the error is:

    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Poker Shack','','Joe's Poker Shack','')' at line 2
    That error obviously isn't being generated by that query. Try working on the relevant query for the error message. This is the query which is generating that message:

    Code:
    		mysql("$DBName","INSERT INTO phpCalendar_Locations VALUES(
    		'$Name','','$WebAlias','$LocationID')") or die(mysql_error());


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •