Iggy Posted February 23, 2006 Posted February 23, 2006 Hi there, I have an error on my admin/orders.php involving not escaping apostrophes. 1 x Pro's Choice1064 - You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 's Choice'' at line 1 select products_id from products_description where products_name='Pro's Choice' You can see it here I'm about to dig into it but was hoping some kind soul may have tracked this down before and would share any advice/solution they might have. Have searched the forum and, although the question is asked quite a bit but not specifically for this page, I haven't dug up any answers. Thanks, Iggy Everything's funny but nothing's a joke...
Iggy Posted February 23, 2006 Author Posted February 23, 2006 Hmmm, Poking around it appears to be this chunk of added functionality (Imprint Text Options) causing the problem // denuz text attr $pid = @mysql_result(tep_db_query("select products_id from products_description where products_name='" . $order->products[$i]['name'] . "'"), 0, "products_id"); $attr_q = tep_db_query("select ota.*, pta.products_text_attributes_name from orders_text_attributes as ota, products_text_attributes as pta where ota.orders_id = " . $HTTP_GET_VARS['oID'] . " and ota.products_id = " . $pid . " and pta.products_text_attributes_id = ota.products_text_attributes_id"); while ($attr = tep_db_fetch_array($attr_q)) { echo '<br><nobr><small> <i> - ' . $attr['products_text_attributes_name'] . ': ' . stripslashes($attr['products_text_attributes_text']); echo '</i></small></nobr>'; } // eof denuz text attr Can anyone spot the problem in that? Thanks, Iggy Everything's funny but nothing's a joke...
Iggy Posted February 23, 2006 Author Posted February 23, 2006 Seek and thou shalt be rewarded. From FalseDawn come these words of wisdom: the "tep_db_input" function in database.php should always be used on all parameters forming part of a query - it adds slashes where necessary to escape these characters. and a little further down in the post FD suggests changing this line @mysql_result(tep_db_query("select products_id from products_description where products_name='" . $order->products[$i]['name'] . to this @mysql_result(tep_db_query("select products_id from products_description where products_name='" . tep_db_input($order->products[$i]['name']) . It's easy when you know how. Thanks to FalseDawn for this almost year old post! Iggy Everything's funny but nothing's a joke...
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.