Why am I suddenly getting an error?

PHP
1

Using this code, I handle a form where I enter in my article. For some reason, now it’s throwing an error at me. The error is…

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’ at line 1

Here is the code.

<?php
error_reporting(E_ALL);
session_start();
require("access.php");

include ("config.php");
?>
<!doctype html>
<html>
<head>
<title>check</title>
</head>
<body>
<?php

$contentOfPost=$_POST['contentOfPost'];
$dateTime = time();
$type=$_POST['type'];
$URL=$_POST['URL'];
$URLtitle = str_replace('-', ' ', substr($URL, 0, -4));
$teaser=$_POST['teaser'];
$imgURL=$_POST['img'];
if(!$type=="" || !$contentOfPost=="")
{
$link = mysql_connect($host, $username, $password);

if(!$link){die(mysql_error());}
$db_selected = mysql_select_db($DbName, $link);
if(!$db_selected){echo "dbselect";die(mysql_error());}
[B]$insertionToDatabase="INSERT INTO $tableName (PostNumber, DateTime, Content, type, URL, teaser, img) VALUES (NULL, FROM_UNIXTIME($dateTime), '$contentOfPost', '$type', '$URL', '$teaser', '$imgURL'";[/B]

$result = mysql_query($insertionToDatabase);
if (!$result) {
echo $type;
echo $URL;
echo $URLtitle;
echo $imgURL;
echo "<br>";
echo $insertionToDatabase;
    die('Invalid query: ' . mysql_error());
}
else
{
$fh = fopen($URL, 'w') or die("can't open file");
$stringData = '<?php $pageIdentity="'.$URLtitle.'";
$articleType="'.$type.'";
include("../../settings.php");
?>
<div id="wrapper">
	<?php include("../../header.php");?>
	<div id="main">
		<?php include("../../menu.php");?>
		<div id="page">
				<div id="content">
					<div class="post">							
						<h2 class="title article"><a href="'.$URL.'">'.$urlTitle.'</a></h2>
						<p class="meta">Posted on '.$dateTime.'&nbsp;&bull;&nbsp; <a href="http://www.ryanreese.us/blog/'.$URL.'" class="permalink">Full article</a></p>
						<div class="entry">
							<p><img src="'.$imgURL.'" width="186px" height="186px" alt="" class="alignleft border" />'.$contentOfPost.'</p>
						</div>
					</div>
				</div>
<?php include ("../../sidebar.php");?>
		</div>
	</div>
	<?php include("../../footer.php");?>
</div>
</body>
</html>';
fwrite($fh, $stringData) or die("cant");

fclose($fh);
}
echo $result;
mysql_close($link);
}
session_destroy();
?>

</body>
</html>

The bolded is what I run. I echo out the query and I get this.

INSERT INTO userSubmitted (PostNumber, DateTime, Content, type, URL, teaser, img) VALUES (NULL, FROM_UNIXTIME(1332387057), ’

Even if I remove the tacks (‘’) in the query, it doesn’t work.

2

Hi,
From what i noticed, it is missing the closing “)” to VALUES ( … ) , after last value, ‘$imgURL’ .

3

Wow that was it. I had to include tacks also otherwise it threw an error (which I had gotten before, and I removed the bracket because I thought that was the issue…but I digress).

Thank you :). One last question. In my content post (my article text) I have multiple instances of using " (quotes). Obviously due to my query, it gets a \ to not mess up the query. How can I make it so that when it opens up my file and writes the article in there, that the \ get stripped out?

4

Maybe it works with echo stripcslashes($string);

5

Thank you.

I went to php.net and there is stripslashes and stripcslashes. Why not just stripslashes instead of stripcslashes?

I went to the formers page on php.net and it seems to be the better option, just from a quick search.

6

I think is better with stripslashes().
The stripcslashes() Un-quote string quoted with addcslashes(), which quotes string with slashes in a C style.

7

:love:

Ok, I plan on writing another article tomorrow morning so once that finishes I’ll have a go at using stripslashes();. I have it updated on my file that handles the dirty work, so I’ll report back and let you know how it goes. Thanks a lot!

8

Hi Ryan. That’s not so obvious as you think it is. It shouldn’t get a \ unless you put it there, and in your code I don’t see you doing that. So maybe you have “magic quotes” enabled? If so, disable it (they’re deprecated from PHP 5.3 and removed from 5.4).
Instead, use mysql_real_escape_string to sanitize your user input strings before using them in a query (or take a look at PDO). That way, you won’t have to strip any \ from the data you retrieve from the database.

9

I thought it was obvious, perhaps that’s just me though. I definitely do not put a \ in there. Magic quotes might be enabled, but if it is, I was not the one to do it. How would I go about doing that? I plan on doing all the security measures this weekend (along with tidying the HTML/CSS) now that my website is basically done (minus article writes).

10

maybe you guys should move this thread over to the php forum, seeing as how that’s all you’ve talked about since post #2

:cool:

11

Hi
If the “\” is added by get_magic_quotes_gpc(), you can use this code to remove “\” if get_magic_quotes_gpc() is enabled.

if(get_magic_quotes_gpc()) {
  $string = stripslashes($string);
}
12

I’m a bit confused. I’ve never done a magic_quotes (gpc or otherwise) function. It’s literally just added in there.

I type up my article, it includes quote sin there just by me writing it. I put it in a variable. It gets put in teh database. It must get added upon echo or something.

I just have the stripslashse around my echo/fwrite so I’l see if that works.

13

How would I go about doing that?

It depends on how much control you have over the server. Read this page of the manual: http://www.php.net/manual/en/security.magicquotes.disabling.php

It must get added upon echo or something.

It gets added when the user data arrives at the server.

14

Thanks. I installed the php.ini file on my server and by default it’s off. I guess with no php.ini file there by default, it defaults to on. I also changed a few settings on there, such as error reporting.

With the quotes turned off, can I remove the stripslashes from my code? I added it on there last night but now I think I don’t need it.

15

Yes you should be able to remove that. Just try it :slight_smile:

16

I have to wait until I have an article written. For some reason (found this out during testing stages), if something gets submitted to the database, even if I delete it, the autoincremented postnumber column still gets the increase. Say I have one thing in there already. there is the #1 in the postnumber column for that submission. If I enter in another one for testing. It gets #2. Even if I delete that post, and enter in a new one, the new one gets #3. So unless I have a way to fix that, I don’t want to add stuff to the table.

I guess I’m also asking for a fix for this. I could remove the auto increment feature, find the last number submitted and ++ it…should I do that?

17

No, there is no fix for that. That’s the way the autoincrease works. Why would that be a problem? It’s just a number to identify the post in the database. It has no meaning.
If for some reason you want to show numbers without gaps on your website, you can always increase a counter while you loop through the result set.

I’d say no. You could do that if you’re the only one entering data in that table, because you won’t have the risk of simultaneous entries that cause a duplicate key. But as I said before, why would you?

18

I display the 5 most recent blog articles based by the postnumber auto incremenet column. If it sees I have #5, it will find 1-2-3-4-5. If 3 was absent due to a deletion in the database, it’ll display empty content for that section.

And yes, I’ll be the only one submitting the articles.

19

better idea: the 5 most recent blog posts based on datetime posted

20

The 5 most recent, based on autoincremental number or on datetime posted as Rudy says. But what you are describing here looks like a flaw in your logic. Would you mind posting some code?