I am using the following code...

function update_event($event)
{
global $vbulletin, $db;

$venue = htmlspecialchars($vbulletin->input->clean_gpc('p', 'venue', TYPE_STR));
$name = htmlspecialchars($vbulletin->input->clean_gpc('p', 'name', TYPE_STR));
$split = htmlspecialchars($vbulletin->input->clean_gpc('p', 'split', TYPE_UINT));
$game = htmlspecialchars($vbulletin->input->clean_gpc('p', 'game', TYPE_UINT));
$category = htmlspecialchars($vbulletin->input->clean_gpc('p', 'category', TYPE_UINT));

$day = htmlspecialchars($vbulletin->input->clean_gpc('p', 'day', TYPE_UINT));
$month = htmlspecialchars($vbulletin->input->clean_gpc('p', 'month', TYPE_STR));
$year = htmlspecialchars($vbulletin->input->clean_gpc('p', 'year', TYPE_UINT));
$time = htmlspecialchars($vbulletin->input->clean_gpc('p', 'time', TYPE_STR));
$timestamp = $day." ".$month." ".$year." ".$time." ".date('T');

$db->query_write("UPDATE rank_events SET gameID='".$game."' WHERE eventID='".$event['eventID']."'");
$db->query_write("UPDATE rank_events SET categoryID='".$category."' WHERE eventID='".$event['eventID']."'");
$db->query_write("UPDATE rank_events SET eDate='".strtotime($timestamp)."' WHERE eventID='".$event['eventID']."'");
$db->query_write("UPDATE rank_events SET eVenue='".$venue."' WHERE eventID='".$event['eventID']."'");
$db->query_write("UPDATE rank_events SET eName='".$name."' WHERE eventID='".$event['eventID']."'");
$db->query_write("UPDATE rank_events SET eSplit='".$split."' WHERE eventID='".$event['eventID']."'");
}


I thought this code would "sanitize" my inputs so that I wouldn't have any poisoning going on... but I still get the following error when I try to input something with a ' in it...

Database error in vBulletin 3.8.1:

Invalid SQL:
UPDATE rank_events SET eVenue='Gamer's Edge' WHERE eventID='4';

MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Edge' WHERE eventID='4'' at line 1
Error Number : 1064


How do I fix this?

clean_gpc(array $source, string $varname, [integer $vartype = TYPE_NOCLEAN])


You're calling it like so:

clean_gpc('p', 'venue', TYPE_STR) //bad call


'p' is a literal char, not an array. You should use it more like this...


clean_gpc($vbulletin, 'ProductOptionName', TYPE_STR)

//or

clean_gpc($vbulletin, 'Input', TYPE_STR)




But what you really need to consider is the addslashes (http://us3.php.net/addslashes) function.

addslashes($input);


Much simpler, it'll automatically escape the quote characters...

I simply changed it to the following...


$venue = htmlspecialchars($vbulletin->input->clean_gpc('p', 'venue', TYPE_STR),ENT_QUOTES);


According to the VB manual... this is the way to do it
https://vborg.vbsupport.ru/showthread.php?t=119372

clean_gpc('p', 'venue', TYPE_STR)

The 'p' is a subsitute for $_POST... g would be for $_GET, r would be for $_RETRIEVE, etc...

That article is from 2006, are you sure that's how they're still calling the function?

What about sticking $_POST in there instead of 'p' ??

Have you tried addslashes? That's the function that replaced magic_quotes.


The other thing that article talks about is that you retrieve the value like so:

$vbulletin->GPC['value']


So your call should be this:

$vbulletin->input->clean_gpc('p', 'venue', TYPE_STR);
$venue = htmlspecialchars($vbulletin->GPC['venue']);


EDIT:
Yeah, I think I had it wrong at first, I misunderstood the API. The code sample above should be appropriate.

htmlspecialchars() is for sanitising HTML, that function should be used on display, and not when inserting into the database. You should be using $db->escape_string() on the variable.

Thanks Dismounted... you've solved all of my problems... escape_string is what I was looking for.