Anybody know what causes this error in MySQL - GoFuckYourself.com

halfpint · 12-11-2009, 04:30 PM

When users try to add a listing by typing into a text box and they use any word with a ' so if they type sort's it comes up saying that there is an error in MySQL

Anbody know what causes this or how to fix it

cheers

Linguist · 12-11-2009, 04:34 PM

Yeah. Use this:

http://php.net/manual/en/function.my...ape-string.php

baddog · 12-11-2009, 04:34 PM

what is the error?

halfpint · 12-11-2009, 04:40 PM

Quote:

Originally Posted by baddog

what is the error?

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'S

halfpint · 12-11-2009, 04:40 PM

Quote:

Originally Posted by Linguist

Yeah. Use this:

http://php.net/manual/en/function.my...ape-string.php

Thanks Ill take a look at that

neonlights · 12-11-2009, 04:43 PM

you need to "clean up" your variables by escaping those things that causes mysql to throw up.

$insertthisnowtomysql = mysql_real_escape_string($sometextforinsert)

now just run "INSERT" sql

halfpint · 12-11-2009, 04:50 PM

Quote:

Originally Posted by neonlights

you need to "clean up" your variables by escaping those things that causes mysql to throw up.

$insertthisnowtomysql = mysql_real_escape_string($sometextforinsert)

now just run "INSERT" sql

so its the script and not mysql... cheers

Tanker · 12-11-2009, 05:09 PM

its the ' use " instead

woj · 12-11-2009, 05:13 PM

like someone said earlier, just escape the input before putting it in the db...

but that error isn't just some inconvenience, it can often be exploited to hack the script... I would have someone look into it...

halfpint · 12-11-2009, 05:14 PM

Quote:

Originally Posted by Tanker

its the ' use " instead

trouble is its the users that are using ' and not " when they are typing things like mod's

Linguist · 12-11-2009, 05:33 PM

Quote:

Originally Posted by halfpint

trouble is its the users that are using ' and not " when they are typing things like mod's

Like woj said, those users can do more than just cause an error, a few cleverly placed 's from malicious users and you can kiss your data goodbye. I wrote this a few weeks ago:

http://www.embracer.com/2009/databas...sql-injections

halfpint · 12-11-2009, 05:34 PM

Quote:

Originally Posted by woj

like someone said earlier, just escape the input before putting it in the db...

but that error isn't just some inconvenience, it can often be exploited to hack the script... I would have someone look into it...

Thanks

Im not very good when it comes to mysql things and Im not to sure what he means by " just escape the input before putting it in the db...

is this inserted into the database or the script If I cant fix it I will see if sands is about and see if he can fix it or contact the people I bought the script from

halfpint · 12-11-2009, 05:52 PM

Quote:

Originally Posted by Linguist

Like woj said, those users can do more than just cause an error, a few cleverly placed 's from malicious users and you can kiss your data goodbye. I wrote this a few weeks ago:

http://www.embracer.com/2009/databas...sql-injections

Thanks for the info Iv contacted the people who I purchased the script from and have told them what you guys have told me

CYF · 12-11-2009, 06:08 PM

woj · 12-11-2009, 06:32 PM

Quote:

Originally Posted by CYF

12-11-2009, 04:30 PM	#1
halfpint GFY's Halfpint Industry Role: Join Date: Jun 2007 Location: UK Posts: 15,223	Anybody know what causes this error in MySQL When users try to add a listing by typing into a text box and they use any word with a ' so if they type sort's it comes up saying that there is an error in MySQL Anbody know what causes this or how to fix it cheers __________________ Get FREE website listings on Cryptocoinshops.net

12-11-2009, 04:34 PM	#2
Linguist Confirmed User Join Date: Apr 2004 Location: Toronto, ON Posts: 1,706	Yeah. Use this: http://php.net/manual/en/function.my...ape-string.php __________________ 315-310

12-11-2009, 05:09 PM	#8
Tanker Confirmed User Industry Role: Join Date: Nov 2000 Location: Oakville, Ontario, Canada Posts: 9,287	its the ' use " instead __________________ Tanker ICQ 3427575 CCBTools Now featured in the CCBill.com APP STORE

12-11-2009, 05:13 PM	#9
woj <&(©¿©)&> Industry Role: Join Date: Jul 2002 Location: Chicago Posts: 47,882	like someone said earlier, just escape the input before putting it in the db... but that error isn't just some inconvenience, it can often be exploited to hack the script... I would have someone look into it... __________________ Custom Software Development, email: woj#at#wojfun#.#com to discuss details or skype: wojl2000 or gchat: wojfun or telegram: wojl2000 Affiliate program tools: Hosted Galleries Manager Banner Manager Video Manager Wordpress Affiliate Plugin Pic/Movie of the Day Fansign Generator Zip Manager Last edited by woj; 12-11-2009 at 05:14 PM..

12-11-2009, 06:08 PM	#14
CYF Coupon Guru Industry Role: Join Date: Mar 2009 Location: Minneapolis Posts: 10,973	__________________ Webmaster Coupons Coupons and discounts for hosting, domains, SSL Certs, and more! AmeriNOC Coupons \| Certified Hosting Coupons \| Hosting Coupons \| Domain Name Coupons

12-11-2009, 04:34 PM	#3
baddog So Fucking Banned Industry Role: Join Date: Apr 2001 Location: the beach, SoCal Posts: 107,089	what is the error?

12-11-2009, 04:43 PM	#6
neonlights So Fucking Banned Join Date: Dec 2009 Posts: 464	you need to "clean up" your variables by escaping those things that causes mysql to throw up. $insertthisnowtomysql = mysql_real_escape_string($sometextforinsert) now just run "INSERT" sql