Invalid character causing problems

Forum Moderators: coopster

Message Too Old, No Replies

Invalid character causing problems

Karma

12:47 pm on May 30, 2006 (gmt 0)

Hi,

I created a function to allow users to add comments to a page. However, when they use ' the script returns an error.

How should I deal with invalid characters?

eelixduppy

12:50 pm on May 30, 2006 (gmt 0)

Use mysql_real_escape_string [php.net] if you are adding it to a database.

Karma

1:21 pm on May 30, 2006 (gmt 0)

I've just looked at the code and I don't think I fully understand the %s

Here is my current code...

$add_comment = "INSERT INTO $table values('','$datetime','$name','$comment')";
mysql_query($add_comment) or die(mysql_error());

I've changed it to the following, which doesn't work...

$add_comment = sprintf("INSERT INTO $table values(%s,%s,%s,%s)",
quote_smart($_POST['']),
quote_smart($_POST['datetime']),
quote_smart($_POST['name']),
quote_smart($_POST['comment']));

mysql_query($add_comment);

eelixduppy

1:25 pm on May 30, 2006 (gmt 0)

Change it to the following:

$add_comment = "INSERT INTO ".$table." values ('','".mysql_real_escape_string($datetime)."','".mysql_real_escape_string($name)."','".mysql_real_escape_string($comment)."')";
mysql_query($add_comment) or die(mysql_error());

Karma

3:19 pm on May 30, 2006 (gmt 0)

Works a treat, thanks :)