Issue with MySQL

Question

Possible Duplicate:
How to prevent SQL injection?

With my script when I copy a topic from Gmail and past it on my script to add it as a topic suddenly I face this problem.

 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'no matter where the" at line 2

This problem happens just when I copy from Gmail although I past it on notepad then I copy it to my script

This is my code to add a topic:

<?php 
@session_start();


if (!$_SESSION['username']){
 echo "<meta http-equiv='refresh' content='0; url=../login.php'/>";
  exit();
}

?>

<?php include "../config.php";?>
<html>
<head>

<meta charset="utf-8"/>
<link rel="stylesheet" type="text/css" href="admin.css" media="screen"/>



</head>
<body>

 <!-- TinyMCE -->
<script type="text/javascript" src="../editor/tiny_mce.js"></script>
<script type="text/javascript">
    tinyMCE.init({
        // General options
        mode : "textareas",
        theme : "advanced",
        plugins : "autolink,lists,pagebreak,style,layer,table,save,advhr,advimage,advlink,emotions,iespell,inlinepopups,insertdatetime,preview,media,searchreplace,print,contextmenu,paste,directionality,fullscreen,noneditable,visualchars,nonbreaking,xhtmlxtras,template,wordcount,advlist,autosave",

        // Theme options
        theme_advanced_buttons1 : "bold,italic,underline,strikethrough,|,justifyleft,justifycenter,justifyright,justifyfull,styleselect,formatselect,fontselect,fontsizeselect",
        theme_advanced_buttons2 : "bullist,numlist,|,link,unlink,anchor,cleanup,insertdate,inserttime,preview,|,forecolor,backcolor,hr,|,fullscreen,,ltr,rtl",
        theme_advanced_buttons3 : "media,removeformat,cleanup",
        theme_advanced_buttons4 : "",
        theme_advanced_toolbar_location : "top",
        theme_advanced_toolbar_align : "right",
        theme_advanced_statusbar_location : "bottom",
        theme_advanced_resizing : true,


        // Example content CSS (should be your site CSS)
        content_css : "css/content.css",

        // Drop lists for link/image/media/template dialogs
        template_external_list_url : "lists/template_list.js",
        external_link_list_url : "lists/link_list.js",
        external_image_list_url : "lists/image_list.js",
        media_external_list_url : "lists/media_list.js",

        // Style formats
        style_formats : [
            {title : 'Bold text', inline : 'b'},
            {title : 'Red text', inline : 'span', styles : {color : '#ff0000'}},
            {title : 'Red header', block : 'h1', styles : {color : '#ff0000'}},
            {title : 'Example 1', inline : 'span', classes : 'example1'},
            {title : 'Example 2', inline : 'span', classes : 'example2'},
            {title : 'Table styles'},
            {title : 'Table row 1', selector : 'tr', classes : 'tablerow1'}
        ],

        // Replace values for the template plugin
        template_replace_values : {
            username : "Some User",
            staffid : "991234"
        }
    });
</script>
<!-- /TinyMCE --> 











<?php 



#=======================================insert news==========================================
if ($_POST['submit']){

$topic_title    =$_POST['topic_title'];
$topic          =$_POST['topic'];
$id_topic       =$_POST['topic_sec'];
$image1         =$_POST['image1'];
$image2         =$_POST['image2'];
$today          =gmdate("d,m,Y");
$date           =$_POST['date'];
$status         =$_POST['status'];


$insert=mysql_query("insert into topics values('','$topic_title','$image1','$image2',
'$id_topic','$topic','$today','','$status')")or die (mysql_error());
}
if ($insert){echo "<script>alert(\"topic has been added\");</script>
<meta http-equiv='refresh' content='0; url=topics.php'/>
";}

?>



<div id='right'>add a new topic</div>


<form action='' method='post'  dir='rtl'>
<table width='100%' cellpadding='5' cellspacing='10'  dir='rtl'>
<tr>
<td>topic title</td>
<td><input type='text' name='topic_title'  id='topic_title'/></td>
</tr>

<tr>
<td>upper image</td>
<td><input type='text' name='image1' size='70%'/></td>
</tr>

<td>left image</td>
<td><input type='text' name='image2' size='70%'/></td>
</tr>



<tr>
<td>topic section</td>
<td>
<select name='topic_sec'>

<?php
$select=mysql_query("select * from sections")or die (mysql_error());
while ($row=mysql_fetch_object($select)){
echo "<option value='$row->id_sec'>$row->sec_name</option>";
}

?>

</select>
</td>
</tr>

<tr>
<td>topic</td>
<td  >
<textarea  cols='100' rows='25' name='topic' ></textarea>
</td>
</tr>

<tr>
<td>state</td>
<td>
<select name='status'>
<option value='1'>active</option>
<option value='2'>unactive</option>
</select>
</td>
</tr>

<tr>
<td colspan='2' ><input type='submit' id='subbot' name='submit' value='add'/></td>
</tr>


</table>
<input type='hidden' name='date' value='<?=$today;?>'/>

</form>
<br/>


</body>
</html>

Does the text you're copying contain single-quote characters? They'll need to be escaped. — Michael, Dec 11 '12 at 17:19
Why publish the whole page where the only problem is an SQL syntax error ? — xlecoustillier, Dec 11 '12 at 17:19
Are all fields VARCHARS ? If not, you'll have to remove some quotes. — xlecoustillier, Dec 11 '12 at 17:20

score 0 · Accepted Answer · answered Dec 11 '12 at 17:34

0

You could use mysql_real_escape_string() to sanitize your variables before inserting them into the database - that should take care of any issues with single quotes, etc.

Incidentally, you should be doing some sanitizing of your POST variables (at the very least mysql_real_escape_string()) before inserting them into your database to avoid SQL Injection attacks.

answered Dec 11 '12 at 17:34

James Baker

1,143
17
39

thank's guys proplem has been solved by using mysql_real_escape – user1692901 Dec 11 '12 at 17:35

Issue with MySQL

1 Answers1