-3

Please help! I'm pretty new to this so this problem completely baffles me!

Error message: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Black Son',twitter_account_date='2015-10-21 22:36:06' WHERE twitter_id='257771' at line 1

Code: 

<?php
//ini_set('display_errors', 0);
date_default_timezone_set('GMT');
require_once('config.php');
require("twitter/twitteroauth.php");


 $date=date('Y-m-d H:i:s');
 $time=date('H:i:s');

/* MarketPlace Email Notification*/

$sql_t="SELECT description FROM  email_template WHERE template_id=15";
$result_tmp=mysql_query($sql_t) or die(mysql_error());
$roT=mysql_fetch_array($result_tmp);
$tempL=$roT['description'];

 $sql_m="SELECT t.screen_name,t.seller_twitter_account_id,s.email,t.created_at,t.mail_status FROM seller_twitter_account as t LEFT JOIN seller_master as s ON t.seller_id=s.seller_id WHERE t.tweet_price=0";
 $result_m=mysql_query($sql_m) or die(mysql_error());

 while($roM=mysql_fetch_array($result_m)){

     $screen_name=$roM['screen_name'];
  $twitter_act_id=$roM['seller_twitter_account_id'];
  $email=$roM['email'];
  $mail_status=$roM['mail_status'];
  $date1=strtotime($roM['created_at']);
  $date2=strtotime(date('Y-m-d H:i:s'));
  
  $diffHours = round(($date2 - $date1) / 60);

  if($diffHours>=1440 && $mail_status==0){
     $to = $email;
     $subject = "Add a Tweet Price";
     $message = str_replace("[SCREEN_NAME]",$screen_name,$tempL);
     $header = "From:info@tweetvend.com \r\n";
     $header .= "MIME-Version: 1.0\r\n";
     $header .= "Content-type: text/html\r\n";
     $retval = mail ($to,$subject,$message,$header);
     if( $retval == true )  
     {
     echo "Message sent successfully...";
    mysql_query("UPDATE seller_twitter_account set mail_status=1 WHERE seller_twitter_account_id='$twitter_act_id'");
     }
     else
     {
     echo "Message could not be sent...";
     }

  }

    if($diffHours>=10080 && $mail_status==1){

     $to = $email;
     $subject = "Add a Tweet Price";
     $message = str_replace("[SCREEN_NAME]",$screen_name,$tempL);
     $header = "From:info@tweetvend.com \r\n";
     $header .= "MIME-Version: 1.0\r\n";
     $header .= "Content-type: text/html\r\n";
     $retval = mail ($to,$subject,$message,$header);
     if( $retval == true )  
     {
     echo "Message sent successfully...";
      mysql_query("UPDATE seller_twitter_account set mail_status=2 WHERE seller_twitter_account_id='$twitter_act_id'");
     
     }
     else
     {
     echo "Message could not be sent...";
     }

  }




 }

 /* END code*/


/*UPDATE TWITTER ACCOUNT CODE*/

 $sql_tac="SELECT screen_name,oauth_access_token,oauth_access_token_secret,twitter_account_date FROM seller_twitter_account";
 $result_TAC=mysql_query($sql_tac);
 while($roWTA=mysql_fetch_array($result_TAC))
 {
   $twitterAccountDate=$roWTA['twitter_account_date'];
   $day1 =  strtotime(date("Y:m:d H:i:s"));
   $day2 = strtotime($twitterAccountDate);
   $diffHours = round(($day1 - $day2) / 3600);

if($diffHours>=24){

   $screen_name=$roWTA['screen_name'];
   $oauth_access_token =$roWTA['oauth_access_token'];
   $oauth_access_token_secret=$roWTA['oauth_access_token_secret'];
   $consumer_key='37pRttXuKrGZawYsNp6Tu6DSL';
   $consumer_secret='566TXt7ldNDJFkZazshwhgy3JILh104DP4KIUyrSguH5MZ54o1'; 
 
     $request = array(
            'screen_name'       => $screen_name,
            'count'             => '1'
        );

    $twitterObj = new TwitterOAuth($consumer_key, $consumer_secret, $oauth_access_token, $oauth_access_token_secret);
    $twitterInfo=$twitterObj->get('statuses/user_timeline',$request);

   //echo '<pre>';
    //print_r($twitterInfo); 
    //$twitterInfo->error==''

  if(!empty($twitterInfo)){
     //if(isset($twitterInfo->errors) && count($twitterInfo->errors)==0){

 if($twitterInfo->errors[0]->message==''){
  $twitter_id=$twitterInfo[0]->user->id;
  $name=$twitterInfo[0]->user->name;
  $num_of_followers=$twitterInfo[0]->user->followers_count;
  $num_of_followings=$twitterInfo[0]->user->friends_count;
  $num_of_tweets=$twitterInfo[0]->user->statuses_count;
  $twitter_profile_pic_url=$twitterInfo[0]->user->profile_image_url;
    
  $sqltUpdt="UPDATE seller_twitter_account SET num_of_followers='$num_of_followers', num_of_followings='$num_of_followings', num_of_tweets='$num_of_tweets', twitter_profile_pic_url='$twitter_profile_pic_url', twitter_name='$name',twitter_account_date='$date' WHERE twitter_id='$twitter_id'";
       mysql_query($sqltUpdt) or die(mysql_error());
     } 
   } 
 }
}

 /*END TWITTER ACCOUNT CODE*/

 /*Tweet Approved Automatically*/
 
 /*$sql_tweet="SELECT od.order_id,m.item_id,t.tweet_asap,t.retweet_asap,t.tweet_post_date_time,t.retweet_post_date,t.tweet_order_date from order_master as od,  item_order_master as m,tweet_order as t WHERE od.order_id=m.order_id AND m.item_id=t.item_id AND m.tweet_status=0 AND od.order_completed=1 AND od.is_active=1 group by m.item_id";

 $tweetResult=mysql_query($sql_tweet);
 while($rows=mysql_fetch_array($tweetResult)){
  $tweet_asap=$rows['tweet_asap'];
  $retweet_asap=$rows['retweet_asap'];
  $tweet_post_date=$rows['tweet_post_date_time'];
  $retweet_post_date=$rows['retweet_post_date'];
  $tweet_asap_post_date=$rows['tweet_order_date'];
  $orderId=$rows['order_id'];
  $itemId=$rows['item_id'];

   if($tweet_asap==1 || $retweet_asap==1){
   $day1 =  strtotime(date("Y:m:d H:i:s"));
   $day2 = strtotime($tweet_asap_post_date);
   $diffHours = round(($day1 - $day2) / 3600);
   if($diffHours>=48){
          $sql_up="UPDATE item_order_master set tweet_status=1 WHERE item_id='$itemId'";
     mysql_query($sql_up) or die(mysql_error());
     $sql_upp="UPDATE tweet_order set tweet_order_date='$date' WHERE item_id='$itemId'";
     mysql_query($sql_upp) or die(mysql_error());
   }
 }
 if($tweet_asap==0){
       $day1 =  strtotime(date("Y:m:d H:i:s"));
    $day2 = strtotime($tweet_post_date);
    $diffHours = round(($day1 - $day2) / 3600);
     if($diffHours>=48){
           $sql_up="UPDATE item_order_master set tweet_status=1 WHERE item_id='$itemId'";
     mysql_query($sql_up) or die(mysql_error());
     $sql_upp="UPDATE tweet_order set tweet_post_date_time='$date' WHERE item_id='$itemId'";
     mysql_query($sql_upp) or die(mysql_error());
   }
 }
 if($retweet_asap==0){
       $day1 =  strtotime(date("Y:m:d H:i:s"));
    $day2 = strtotime($retweet_post_date);
    $diffHours = round(($day1 - $day2) / 3600);
     if($diffHours>=48){
   $sql_up="UPDATE item_order_master set tweet_status=1 WHERE item_id='$itemId'";
     mysql_query($sql_up) or die(mysql_error());
     $sql_upp="UPDATE tweet_order set retweet_post_date='$date' WHERE item_id='$itemId'";
     mysql_query($sql_upp) or die(mysql_error());

   }
 }


 }*/

 /*End Code*/

 

echo 'Completed';


?>
Bo Beaumont
  • 3
  • 5

1 Answers1

2

You need to escape all the inputs, in case they contain quote characters.

$twitter_id = mysql_real_escape_string($twitterInfo[0]->user->id);
$name = mysql_real_escape_string($twitterInfo[0]->user->name);
... and so on

It would be better if you switched to PDO or mysqli, and used prepared statements with bound parameters, instead of substituting variables into query strings. See How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
Barmar
  • 741,623
  • 53
  • 500
  • 612