SQl Insert Problem when Quote in String

vei · April 18th, 2011, 06:13 PM

An error was encountered during execution of the query:

INSERT INTO photos (id,user,userid,cat,storecat,storeid,date,title,description,keywords,bigimage,width,height,
filesize,medwidth,medheight,medsize,approved,watermarked,allowprint,extra1,extra2,
extra3,extra4,extra5,extra6,ipaddress)
VALUES (NULL,'Joe'smom', 6123, 62, '576', '3053', 1134262636, 'Retrieving Santa--Golden Style!',
'Max and his new brother Wrigley---going over their lists with Santa', '', 'puppy_015.jpg', 640, 480, 166716, 0,
0, 0, 1, '','','','',
'','','','','72.9.0.200')

The query returned with an errorcode of:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'smom', 6123, 62, '576', '3053', 1134262636, 'Retrieving Santa--Golden Style!',
' at line 4

Chuck S · April 18th, 2011, 08:25 PM

I do not see how your error can happen. In our image-inc.php file we explicitly addslashes where needed. Most variables are typecast and addslashes is used in that function. Now a username is not typecast so that specifically is addslashed right before the query so the 64 million dollar question is why is your name not addslashes?

Code:

Content visible to verified customers only.

vei · April 20th, 2011, 05:10 PM

that userid comes from the vB3 user database.

vB allows (') in the username -- although I have since put a regexp on to prevent special characters from being used. Nonetheless, we do have a few users with a (') in their username.

Chuck S · April 20th, 2011, 06:32 PM

right but thats why I am a little confused as said we EXPLICITLY addslashes which means you should not have an issue. Your query shows there is no addslash being done.