I'm currently experiëncing a very annoying problem; when someone tries to make a post on the forum with a ' (single quote) in it, an SQL syntax error appears. Posting double quote (") or `-characters works fine however...
This problem, which i think is a bug, is reproducable by trying to post something on the BBtoNuke board with a ' in it.
It also happens when trying to create a new topic with a ' in it's subject
I've been searching the world for a fix or even an existing forum topic about it on various phpnuke support sites (phpnuke.org itself, nukecops and this site ofcourse) but until now it seems no one running a phpnuke site ever uses single quotes on it's forum
The problem appeared after upgrading to PHPNuke 7.9 with patch 3.1 about a week ago.
Here's an example of the SQL syntax error:
Code:
DEBUG MODE
SQL Error : 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''this is a test topic '')' at line 1
INSERT INTO nuke_bbposts_text (post_id, post_subject, bbcode_uid, post_text) VALUES ('525', 'test topic', '8e705b514c', 'this is a test topic '')
Line : 284
File : functions_post.php
The responsible piece from functions_post.php (for the PHP/SQL coders here):
There's ofcourse some logic about why the syntax error appears, because the $post_subject variable is enclosed in 2 single quotes, so when there's another one in $post_subject itself, it will get confused...
The question is; how can it be solved? Is there an existing fix or is there something i can edit the functions_post.php file with?
Thanks in advance
PHPNuke 7.9 with patch 3.1
BBtoNuke 2.0.19 (upgraded, but it didn't solve the problem)
See my signature for environment information.
Last edited by Assgier on Thu Jan 05, 2006 9:33 pm; edited 1 time in total _________________ FreeBSD 6.0-RELEASE
Apache 2.0.55
PHP 4.4.1
MySQL 4.1.11
After few days without any replies, i decided to jump into it one last time myself and started searching for using single quotes in PHP scripts, inserting data into SQL tables...
After some time i found out about the PHP function addslashes(), which automatically detects any characters like the single quote that can possible be recognised by, for example, MySQL as a char with a purpose. When detected, it puts an escape sign (\) in front of it and continues parsing...
So when browsing the function_post.php code, i found out that the creators of phpBB have decided not to use that function and leave it to PHP itself...
Then i struggled upon the MAGIC_QUOTES_GPC feature of PHP. Since i'm using a pretty much default php.ini-recommended file for my configuration, the MAGIC_QUOTES_GPC function was disabled (the PHP founders say that it's better for performance if PHP scripts use the addslashes() and stripslashes() functions instead of depending on MAGIC_QUOTES_GPC).
I enabled MAGIC_QUOTES_GPC and all of a sudden the problem was solved..
Perhaps it would be an idea for the nukeresources.com guys to include pieces code like beneath in their BBtoNuke port
Code:
if (!get_magic_quotes_gpc()) {
$post_subject = addslashes($post_subject);
}
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Latest: 
Visitation: 
