-1

Ok so I have a form in a made from scratch forum. I am using NBBC to parse BBCode for the forum. Here is the code. My main focus is to transform the single quotes into html entities. I have tried a lot of things including htmlentities() as well. Here is the generated error message:

ERROR [1064] You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

And here is the current code. I am giving 2 of the codes that need re-checking.

add_topic.php (Snippet)

require_once("nbbc/nbbc.php");
$bbcode = new BBCode;
$topic=$_POST['topic'];
$detail=htmlspecialchars($_POST['detail']);
$c_detail=$bbcode->Parse($detail);
$name=$_POST['name'];
$c_name=htmlspecialchars($name, ENT_QUOTES);
$c_topic=htmlspecialchars($topic, ENT_QUOTES);
$datetime=date("d/m/y h:i:s"); //create date time

$sql=("INSERT INTO $tbl_name(topic, detail, name, datetime)VALUES('$c_topic', '$c_detail', '$c_name', '$datetime')");
$result=mysql_query($sql);

if($result){
echo "Successful<BR>";
echo "<a href=main_forum.php>View your topic</a>";
}
else {
echo "ERROR [" . mysql_errno() . "] " . mysql_error();
}

add_answer.php

require_once("nbbc/nbbc.php");
$bbcode = new BBCode;
$a_name=$_POST['a_name'];
$a_subject=$_POST['a_subject'];
$a_answer=$bbcode->Parse($_POST['a_answer']);
$ac_name=htmlspecialchars($a_name, ENT_QUOTES);
$ac_subject=htmlspecialchars($a_name, ENT_QUOTES);
$datetime=date("d/m/y H:i:s"); // create date and time

$sql2="INSERT INTO $tbl_name(question_id, a_id, a_name, a_subject, a_answer, a_datetime)VALUES('$id', '$Max_id', '$ac_name', '$ac_subject', '$a_answer', '$datetime')";
$result2=mysql_query($sql2);

if($result2){
echo "Successful<br />";
echo "<a href='view_topic.php?id=".$id."'>View your answer</a>";

$tbl_name2="forum_question";
$sql3="UPDATE $tbl_name2 SET reply='$Max_id' WHERE id='$id'";
$result3=mysql_query($sql3);

}
else {
echo "ERROR [" . mysql_errno() . "] " . mysql_error();
}

To Re-Clarify all I need is to remove all html tags and any other scripting tags for that matter, parse the BBCode, and finally insert the data without error.

Semirix
  • 271
  • 3
  • 13
  • `My main focus is to transform the single quotes into html entities` - what makes you think that there's an HTML entity that represents a single quote? – N.B. Oct 06 '11 at 10:27
  • 1
    @Codeboy One day [Bobby Tables](http://xkcd.com/327/) came along to write a post on your forum, but after that all your members table was gone. What happened? – Shef Oct 06 '11 at 10:29
  • 3
    You should be careful about opening your "made from scratch forum" to the Internet, it looks like your code is riddled with security holes. – thirtydot Oct 06 '11 at 10:30
  • it is quite evident from your present code, dude – Your Common Sense Oct 06 '11 at 10:57

2 Answers2

3

try mysql_real_escape_string(). should work!

http://php.net/manual/en/function.mysql-real-escape-string.php

Janis Lankovskis
  • 1,042
  • 9
  • 9
2

You need to use mysql-real-escape-string http://php.net/manual/en/function.mysql-real-escape-string.php - not htmlspecialchars

Ed Heal
  • 59,252
  • 17
  • 87
  • 127