-1

I am using PHP and MySQL as main languages while TinyMCE for the WYSIWYG feature. The problem is I get a MySQL error everytime I try to place an apostophe on the text editor. the error appears to be like this:

An error occured upon executing query. Please notify the web developer about this error.

NOTE: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's definitely a program for you.

International Language Academy Manila (' at line 1

The statement leads me to this set of code:

function ExecuteQuery($strquery){
  $rs = mysql_query("$strquery") or 
        die('<br><br>An error occured upon executing query.<br>Please notify the web developer about this error.<br><br>NOTE: '.mysql_error());
  return $rs;
}

But i can't seem to understand the problem. Need some help here. Thank you so much.

jamie
  • 37
  • 2
  • 11
  • 1
    Please post the query you tried. – Mahmoud Gamal Jan 01 '13 at 11:55
  • 4
    [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). – ThiefMaster Jan 01 '13 at 11:55
  • How could we help you to find the syntax error without the query??? – sdespont Jan 01 '13 at 11:57
  • Similar question here: http://stackoverflow.com/questions/4659879/mysql-php-with-special-characters-like-apostrophe-and-quotation-mark?rq=1 – traditional Jan 01 '13 at 12:22

3 Answers3

3

You are seeing error because an apostrophe has special meaning in Mysql. As Ian said you have to use mysql_real_escape_string on $strquery

Not using escaping will lead to serious SQL injection security issues. http://www.unixwiz.net/techtips/sql-injection.html

function ExecuteQuery( $strquery ) {
  $rs = mysql_query(mysql_real_escape_string($strquery)) or 
        die('<br><br>An error occured upon executing query.<br>Please notify the web developer about this error.<br><br>NOTE: '.mysql_error());
  return $rs;
}
traditional
  • 942
  • 10
  • 19
1

I imagine that your query is something like this...

INSERT INTO table VALUES ('blah blah blah');

Now, imagine what will happen when the text you're trying to insert contains single quotation marks/apostrophes...

INSERT INTO table VALUES ('This won't work.');

Any single quotes in the content of the query parameters are breaking your code. You need to use mysql_real_escape_string on your query parameters.

Better yet, use PDO or MySQLi with prepared statements.

Ian Atkin
  • 6,302
  • 2
  • 17
  • 24
0

Your query looks something like this:

INSERT INTO table (textfield) VALUES ( 'your editor value' );

Now, you probably do not escape your input value, so an apostrophe in your text would break the query

INSERT INTO table (textfield) VALUES ( 'your ' editor value with apostrophe' );

Read this to learn about escaping, also have a close look at the red box

Michel Feldheim
  • 17,625
  • 5
  • 60
  • 77