issues with mysql, specifically the sql function

Question

i'm trying to insert the following code on SQL, however it won't work. What's the problem :O

Content

$share_text="<img src='http://dosha.re/i/Uvhg.png'/>";

(it's an IMG tag, except stackoverflow won't show the code.)

$sql.=", '$share_text'";

As you can tell, Sharetext does include an img extension but for some reason i get:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'http://dosha.re/i/Uvhg.png'/>', 1, '', 'Tue Apr 2 2013', '09:51 PM')' at line 1

[Please, don't use `mysql_*` functions](http://stackoverflow.com/q/12859942/1190388) in new code. They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the red box? Learn about prepared statements instead, and use [tag:PDO] or [tag:MySQLi]. — hjpotter92, Apr 03 '13 at 04:56
@hjpotter92 How can you tell OP is using `mysql_` functions? — Ja͢ck, Apr 03 '13 at 04:58
I use mysqli for persistent connections but that's about it. — Blahwhore, Apr 03 '13 at 04:58
@Blahwhore Well, it will be deprecated soon, so I would suggest switching over ;-) — Ja͢ck, Apr 03 '13 at 05:05
@Jack - i'll be sure to stick to php5 then, i've used php6 but like you've mentioned, the functions don't work as with php5. — Blahwhore, Apr 09 '13 at 16:31

score 1 · Accepted Answer · answered Apr 03 '13 at 04:55

1

You need to call addslashes function around this variable value in which this image tag is coming. It the error of single slashes.

answered Apr 03 '13 at 04:55

Dead Man

2,880
23
37

@dowvoter, can you tell me the reason of downvoting the answer? – Dead Man Apr 03 '13 at 05:00
Using `addslashes()` is bad practice for escaping SQL; it has its own function, depending on the library used. – Ja͢ck Apr 03 '13 at 05:04
But if `PHP` provides us the function then why not use it? – Dead Man Apr 03 '13 at 05:05
I have no idea why PHP provides `addslashes()` (never had to use it) but it should definitely not be used to escape string variables in SQL knowing there are better functions to accomplish it. – Ja͢ck Apr 03 '13 at 05:08
You are more experienced than us that's y u know more functions than us, but if we just know this function and use it to good effect then i don't think that there is any issue in using it knowing that i don't know too many functions. – Dead Man Apr 03 '13 at 05:10
We're all here to learn new things, so I'll leave you with [this article](http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string) that discusses the merits of one over the other. – Ja͢ck Apr 03 '13 at 05:18
@DeadMan - sorry for the late response, stackoverflow wouldn't allow me to approve the answer until a few minutes after i responded to you and well... been kinda busy. But overall, you are a LIFE SAVER! :D – Blahwhore Apr 09 '13 at 16:29

score 0 · Answer 2 · answered Apr 03 '13 at 04:56

You're using single quotes in the src attribute, but then you wrap the whole thing in single quotes too, so that won't work:

$share_text = '<img src="http://dosha.re/i/Uvhg.png" />';
$sql .= ", '$share_text'";

Alternatively, and probably better, use mysql_real_escape_string() or PDO::quote or mysqli::real_escape_string.

$sql .= sprintf(", '%s'", mysql_real_escape_string($share_text));

It's impossible to tell from this what your real query is, but I would suggest using prepared statements so that you don't have to worry about escaping SQL.

issues with mysql, specifically the sql function

2 Answers2