1

Other people i'v googled with this MySQL error have had restricted words, but I cant see any in mine.

I'm having trouble storing an css div in a variable and inserting it into a table as a field.

I'm very confused because the 2 <br/>'s work perfect, but then it breaks when I try a div.

userrepost.php

    /* Connect and Query database "accounts", then close connection */
    $connection=mysql_connect("localhost","root","");
    if (!$connection)
    {
        die('Cannot connect to MySQL. Error: ' . mysql_error());
    }

    $check_database = mysql_select_db("accounts", $connection);
    if (!$check_database)
    {
        die('Cannot connect to database. Error: ' . mysql_error());
    }

    /* Escape all POST variables */
    $query=mysql_query("SELECT * FROM posts WHERE id='$_GET[postid]'");
    $result = mysql_fetch_row($query);
    $escaped_repostinfo=$_POST['repostinfo'];
    $final_repostinfo=$escaped_repostinfo."<br/><br/><div id='rptext'>".$result[0]." ".$result[1]."</div>";
    echo $final_repostinfo;
    $date = new DateTime('Canada/Saskatchewan');
    $date->setTimezone(new DateTimeZone('Canada/Saskatchewan'));
    $date_string=$date->format('d/m/Y H:i:s');

    /* Query database to save user's post */
    /* If field "repostid==0", then the post is not a repost; if the field "repostid>0", then the post is a repost with the field "repostid" linking to the id of the post to be reposted */ 
    $result = mysql_query("INSERT INTO posts (user, content, repostid, date) VALUES ('$_SESSION[username]', '$final_repostinfo', '$_GET[postid]', '$date_string')");
    if (!$result)
    {
        die('Cannot query. Error: ' . mysql_error());
    }

    /* Close Connection */
    mysql_close($connection);

'rptext' is a css div( #rptext{stuff;} )

This is the error:

Cannot query. Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'rptext'>shawn619 dfsd', '51', '09/11/2013 15:27:11')' at line 1
Fabrício Matté
  • 69,329
  • 26
  • 129
  • 166
shawn a
  • 799
  • 3
  • 13
  • 21

3 Answers3

0

You are inserting an unescaped string which contains single quotes:

'rptext'

This needs to be properly escaped to work.

HaukurHaf
  • 13,522
  • 5
  • 44
  • 59
0

Escape all the variables you put into a query using mysql_real_escape_string. EVERY variable. I am 99% certain it's what causing your errors, and also: passing $_GET variables directly into an SQL query is very dangerous. With every variable you forget, you leave a hole for these kinds of errors and SQL Injection attacks.

It's as easy as this:

$var = $_GET['some-parameter'];
$var = mysql_real_escape_string($var); // now you may use it in a query

Edit: just to clarify, you don't just need to escape $_GET variables, but all of them! Don't forget $final_repostinfo and $date_string.

Robin Kanters
  • 5,018
  • 2
  • 20
  • 36
0
$query=mysql_query("SELECT * FROM posts WHERE id='$_GET[postid]'");

$_GET[postid] is not like $_GET['postid'], big difference

please use this way:

$query=mysql_query("SELECT * FROM posts WHERE id=`".$_GET[postid]."`");

and $_GET['postid'] is it numeric or string? If numeric you don't need to use apostrophe.

same problem here:

$result = mysql_query("INSERT INTO posts (user, content, repostid, date) VALUES ('$_SESSION[username]', '$final_repostinfo', '$_GET[postid]', '$date_string')");

$_SESSION and $_GET...

dareKevil
  • 11
  • 3
  • You correctly say that "$_GET[postid] is not like $_GET['postid']", but you fail to explain to the OP why, and then incorrectly use postid without quotes yourself in your examples. – Nick Nov 09 '13 at 22:39
  • #Nick, just didn't explain it correctly. About postid quotes I was talking about inside query, not in $_GET... anyway sorry :) – dareKevil Nov 11 '13 at 13:34