stublackett Posted July 30, 2008 Share Posted July 30, 2008 Hi, I'm getting an SQL Syntax Error when inserting into a Database, I'm constantly having this problem on pieces of code i'm writing, So could do with a solution which will help me from now on I'm getting the SQL Syntax Error Quote Couldn't UPDATE to database:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Messages'' WHERE gbID = '2002'' at line 1 - 'UPDATE bdGuest SET Confirmed='1',Message='Test's Messages'' WHERE gbID = '2002';' I'm assumit its something to do with the apostrophes in the Message field as anything without an apostrophe goes straight in Here is my code, How do I add addslashes or stripslashes to this line of code? <?php require_once("scripts/mysqlClass.php"); $guestDB = new dbHandler; if(@$_POST) { if(@$_POST['delete'] && $_POST['gbID']) { require_once("scripts/mysqlAdminClass.php"); $adminDB = new dbAdminHandler; $adminDB->connect(); $adminDB->start_delete("bdGuest"); $adminDB->where("gbID = '{$_POST['gbID']}'"); $adminDB->query(); $msg = "Item Deleted"; } if(@$_POST['add'] && $_POST['gbID']) { require_once("scripts/mysqlAdminClass.php"); $adminDB = new dbAdminHandler; $adminDB->connect(); $fields = Array("Confirmed","Message"); $values = Array("1",nl2br($_POST['Message'])); if(strlen($values[1] ) < 5) die("Message Too Short ".$values[1]. " " . $_POST['Message']); $adminDB->update("bdGuest",$fields,$values); $adminDB->where("gbID = '{$_POST['gbID']}'"); $adminDB->query(); $msg = "Item Added to Guestbook"; } } ?> Link to comment https://forums.phpfreaks.com/topic/117302-solved-stripslashes/ Share on other sites More sharing options...
JonnoTheDev Posted July 30, 2008 Share Posted July 30, 2008 $values = Array("1",addslashes(nl2br($_POST['Message']))); It may be better to modify your dbAdminHandler class to auto escape any values rather than you using the above method. Link to comment https://forums.phpfreaks.com/topic/117302-solved-stripslashes/#findComment-603394 Share on other sites More sharing options...
monkeytooth Posted July 30, 2008 Share Posted July 30, 2008 me personally I do stripslashes.. but I add ereg_replace into it as well maybe as an over catious person I dunno.. I use ereg_replace to replace things like quotes double quotes less then more than etc.. with other things.. like [dblqte] [snglqte] etc.. and have it insert that way into my database.. then when needed to be called out of for display I use str_replace to find thigns like [dblqte] [snglqte] and replace them with what I had them orginally replaced with for display.. to me thats just keeps things cleaner a bit easier on my end with what I think may help prevent injection attacks.. as well as just generally with what I think may help keep my code from bunking out cause of an extra something generated on the user end.. Link to comment https://forums.phpfreaks.com/topic/117302-solved-stripslashes/#findComment-603403 Share on other sites More sharing options...
stublackett Posted July 30, 2008 Author Share Posted July 30, 2008 Quote $values = Array("1",addslashes(nl2br($_POST['Message']))); It may be better to modify your dbAdminHandler class to auto escape any values rather than you using the above method. Spot on cheers Neil! Link to comment https://forums.phpfreaks.com/topic/117302-solved-stripslashes/#findComment-603411 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.