Hopefully someone can help me out before I lose my hair ;)

I've got this insert string and unfortunately when a " is used in the newtitle it stops the query then.

For example if you put asd"fgh it'll only put asd into the database and ignore the rest.

Here is the query I'm using


$db->query_write("INSERT INTO " .TABLE_PREFIX. "title_wars
(
newtitle,
attacker,
victim,
attackerid,
victimid
) VALUES (
'". $db->escape_string($_POST['newtitle'])."',
'" . $db->escape_string($_POST['attacker']) . "',
'" . $db->escape_string($_POST['victim']) . "',
'" . $db->escape_string($vbulletin->userinfo['userid']) . "',
'" . $db->escape_string($_POST['victimid']) . "'
)");


Any ideas? :(

You might have to escape the string.

Example: asd"fgh would be asd\"fgh (note the additional \ ).
That way the SQL server "knows" the " are part of the text and not the end of it.

You can use the PHP function addslashes() to do this.

First escape your string with addslashes() and then use that result in the query.
Should do the trick :)

Hmm I tried this

$_POST['newtitle'] = addslashes($_POST['newtitle']);
$db->query_write("INSERT INTO " .TABLE_PREFIX. "title_wars
(
newtitle,
attacker,
victim,
attackerid,
victimid
) VALUES (
'" . $db->escape_string($_POST['newtitle'])."',
'" . $db->escape_string($_POST['attacker']) . "',
'" . $db->escape_string($_POST['victim']) . "',
'" . $db->escape_string($vbulletin->userinfo['userid']) . "',
'" . $db->escape_string($_POST['victimid']) . "'
)");


and


$_POST['newtitle'] = addslashes($_POST['newtitle']);
$db->query_write("INSERT INTO " .TABLE_PREFIX. "title_wars
(
newtitle,
attacker,
victim,
attackerid,
victimid
) VALUES (
'".$_POST['newtitle']."',
'" . $db->escape_string($_POST['attacker']) . "',
'" . $db->escape_string($_POST['victim']) . "',
'" . $db->escape_string($vbulletin->userinfo['userid']) . "',
'" . $db->escape_string($_POST['victimid']) . "'
)");


No luck with either :(

Course, i've also tried using

'" . addslashes($_POST['newtitle'])."',

in the db query too and no luck :(

I kinda stumble around til it works so I may be completely misunderstanding you hehe.

Hmm....
Maybe try not to put the new value into the $_POST global, but rather into a local variable.
Like $newtitle = addslashes($_POST['newtitle']); and using $newtitle in the query.

If that doesn't work I'm out of ideas as well for the moment....

Bugger, no good :(

I even converted the code over to the gpc stuff and tried add slashes and escape, then tried just add slashes, then just escape :(


$vbulletin->input->clean_array_gpc('p', array(
'victimid' => TYPE_INT,
'victim' => TYPE_STR,
'attacker' => TYPE_STR,
'newtitle' => TYPE_STR,
));
$newpreslashedtitle =& $vbulletin->GPC['newtitle'];
$newslashedtitle = addslashes($newpreslashedtitle);
$db->query_write("INSERT INTO " .TABLE_PREFIX. "title_wars
(
newtitle,
attacker,
victim,
attackerid,
victimid
) VALUES (
'" . $db->escape_string($newslashedtitle) . "',
'" . $db->escape_string($vbulletin->GPC['attacker']) . "',
'" . $db->escape_string($vbulletin->GPC['victim']) . "',
'" . $db->escape_string($vbulletin->userinfo['userid']) . "',
'" . $db->escape_string($vbulletin->GPC['victimid']) . "'
)");


And it will still only grab the characters before the " and stops there :(

Man sooo close :(

Thanks anyway Hellcat :(

I'm gonna go dig through some more files.