htmlentities or stripslashes

corruption

I'm writting a news script. I have a seperate login page and then a form that the person enters the topic their name, and date of post, then the news.

In the news section suppose someone enters something like "I'm, or You're, or anything with quotation marks in it. MySql sends an error back like this:

You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'm trying to enter new data into the news section.

here's the code that processes the form:

include 'connect.php';

//news.php to pass field values to database for news 
$topic = $_POST['topic'];
$author = $_POST['author'];
$date = $_POST['date'];
$news = $_POST['news'];
//show the passed values
echo $topic;
echo $author;
echo $date;
echo $news;

//stripslashes from variables
$topic = stripslashes($topic);
$author = stripslashes($author);
$date = stripslashes($date);
$news = stripslashes($news);
//insert data into database

mysql_query("INSERT INTO news(topic, author, date, news)		
	VALUES('$topic', '$author', '$date', '$news');") or die (mysql_error());
?>

some of that is just to check and see what values were passed. Any help will be appreciated.

LordShryku

You shouldn't use stripslashes. MySQL needs those quotes to be terminated with slashes in order to insert.

csn

if (!get_magic_quotes_gpc()) {
  $topic = mysql_escape_string($topic);
  $author = mysql_escape_string($author);
  $date = mysql_escape_string($date);
  $news = mysql_escape_string($news); 
}

corruption

great help, thanks a bunch. The magic quotes thing worked perfectly.