Error in SQL syntax

Man, I’m not very good at this PHP stuff in terms of starting from scratch. I can decipher what is going on, but my troubleshooting skills for editing my own work… suck.

I put up a survey site with very simple post of data into a mysql database from a PHP front-end. My boss tried it out and put an apostrophe in his comments section, which threw up the standard:
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'm working hard')' at line 37

Ut oh. Showing SQL errors can lead to problems – injections, giving away data, etc. Since this was an internal-only site, it didn’t really matter quite as much, but I’d still like to allow people to utilize the apostrophe.

Add this into the inserting php page:

 foreach ($_POST as $key => $value) {
    $_POST[$key] = mysql_real_escape_string($value);

It is right after my “mysql_select_db(“dbname”, $con); statement.

Leave a Reply

Your email address will not be published. Required fields are marked *