[johnd07]

So I have this query that's causing problems.. here it is

$query = "INSERT INTO  `articles` (`aid` ,`title` ,`writtenby` ,`category` ,`section` ,`date` ,`image1` ,`content` ,`subtitle`) VALUES ('', '$title', '$author', '$category', '$section', '$date', '".$image['name']."', '$content', '$subtitle')";

The problem is whenever i enter content in either "title, content or subtitle"
that contains an apostrophe (') it returns an error.. but if i enter content without any it works fine... is there anyway to fix this, or do i have to enter stuff without apostrophes??

I get this "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near"

This post has been edited by johnd07: 03 January 2010 - 08:11 PM

[no2pencil]

Quote

'".$image['name']."'

The single quote for the $image array element is ending the start single quote for the sql insert value.

Since there is no space in the element name (name) then you can safely remove the single quotes from the #image array.

$query = "INSERT INTO  `articles` (`aid` ,`title` ,`writtenby` ,`category` ,`section` ,`date` ,`image1` ,`content` ,`subtitle`) VALUES ('', '$title', '$author', '$category', '$section', '$date', '$image[name]', '$content', '$subtitle')";

[JackOfAllTrades]

Oh, I and PHP must disagree on that, no2. From the manual:

Quote

Array do's and don'ts
Why is $foo[bar] wrong?

Always use quotes around a string literal array index. For example, $foo['bar'] is correct, while $foo[bar] is not. But why? It is common to encounter this kind of syntax in old scripts:

<?php
$foo[bar] = 'enemy';
echo $foo[bar];
// etc
?>

This is wrong, but it works. The reason is that this code has an undefined constant (bar) rather than a string ('bar' - notice the quotes). PHP may in future define constants which, unfortunately for such code, have the same name. It works because PHP automatically converts a bare string (an unquoted string which does not correspond to any known symbol) into a string which contains the bare string. For instance, if there is no defined constant named bar, then PHP will substitute in the string 'bar' and use that.

Treading on thin ice there

Would rather see:

$query = "INSERT INTO  `articles` (`aid` ,`title` ,`writtenby` ,`category` ,`section` ,`date` ,`image1` ,`content` ,`subtitle`) VALUES ('', '$title', '$author', '$category', '$section', '$date', '{$image['name']}', '$content', '$subtitle')";

[johnd07]

Sorry guys tried both and got the same error...Thanks for the lesson btw

I got: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'supreme application at the crease was rewarded with a total of 2 for 190 and a 6' at line 1


when I tried to post :
Half-centuries to openers Salman Butt and Imran Farhat have Pakistan well positioned to establish an imposing first-innings lead over the Australians. After an attritional second session on Monday, the tourists' supreme application at the crease was rewarded with a total of 2 for 190 and a 63-run advantage over Australia's meager first-day tally.

notice the error starts at the first apostrophe..

And if I remove them it works!!

This post has been edited by johnd07: 03 January 2010 - 11:08 PM

[relic5.2]

try escaping the code, I presume it's $content that's causing problem

$content = addslashes($content);
$query = "INSERT INTO  `articles` (`aid` ,`title` ,`writtenby` ,`category` ,`section` ,`date` ,`image1` ,`content` ,`subtitle`) VALUES ('', '$title', '$author', '$category', '$section', '$date', '".$image['name']."', '$content', '$subtitle')";

[noorahmad]

you can use mysql_real_escape_string or addslashes,
Example:

<?PHP
$msg = mysql_real_escape_string($_POST['txtMessage']);
// or 
$msg = addcslashes($_POST['txtMessage']);
// how to use it
$strQuery = mysql_query("INSERT INTO table_name (Message) Values('$msg')")or die(mysql_error());
?>

Hope it helps

[JackOfAllTrades]

noorahmad, if you're using MySQL, you should ALWAYS use mysql_real_escape_string to escape the content, not addslashes. From the documentation for addslashes:

Quote

It's highly recommeneded to use DBMS specific escape function (e.g. mysqli_real_escape_string() for MySQL or pg_escape_string() for PostgreSQL), but if the DBMS you're using does't have an escape function and the DBMS uses \ to escape special chars, you can use this function.

[johnd07]

Thank you Guys so much, now i can move forward hopefully I can sort out any other error I encounter ...

You can edit to title to Solved..

[noorahmad]

Thanks Jack
I know but my bad that I didn't cleared that