vb.org Archive - View Single Post

Jaxel · #1 02-14-2009, 12:48 AM

I am using the following code...

Code:

function update_event($event)
{
	global $vbulletin, $db;

	$venue	= htmlspecialchars($vbulletin->input->clean_gpc('p', 'venue', TYPE_STR));
	$name		= htmlspecialchars($vbulletin->input->clean_gpc('p', 'name', TYPE_STR));
	$split	= htmlspecialchars($vbulletin->input->clean_gpc('p', 'split', TYPE_UINT));
	$game		= htmlspecialchars($vbulletin->input->clean_gpc('p', 'game', TYPE_UINT));
	$category	= htmlspecialchars($vbulletin->input->clean_gpc('p', 'category', TYPE_UINT));

	$day		= htmlspecialchars($vbulletin->input->clean_gpc('p', 'day', TYPE_UINT));
	$month	= htmlspecialchars($vbulletin->input->clean_gpc('p', 'month', TYPE_STR));
	$year		= htmlspecialchars($vbulletin->input->clean_gpc('p', 'year', TYPE_UINT));
	$time		= htmlspecialchars($vbulletin->input->clean_gpc('p', 'time', TYPE_STR));
	$timestamp = $day." ".$month." ".$year." ".$time." ".date('T');

	$db->query_write("UPDATE rank_events SET gameID='".$game."' WHERE eventID='".$event['eventID']."'");
	$db->query_write("UPDATE rank_events SET categoryID='".$category."' WHERE eventID='".$event['eventID']."'");
	$db->query_write("UPDATE rank_events SET eDate='".strtotime($timestamp)."' WHERE eventID='".$event['eventID']."'");
	$db->query_write("UPDATE rank_events SET eVenue='".$venue."' WHERE eventID='".$event['eventID']."'");
	$db->query_write("UPDATE rank_events SET eName='".$name."' WHERE eventID='".$event['eventID']."'");
	$db->query_write("UPDATE rank_events SET eSplit='".$split."' WHERE eventID='".$event['eventID']."'");
}

I thought this code would "sanitize" my inputs so that I wouldn't have any poisoning going on... but I still get the following error when I try to input something with a ' in it...

Code:

Database error in vBulletin 3.8.1:

Invalid SQL:
UPDATE rank_events SET eVenue='Gamer's Edge' WHERE eventID='4';

MySQL Error   : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Edge' WHERE eventID='4'' at line 1
Error Number  : 1064

How do I fix this?

X vBulletin 3.8.12 by vBS Debug Information
Page Generation 0.01743 seconds Memory Usage 1,769KB Queries Executed 11 (?)
More Information
Template Usage: (1)SHOWTHREAD_SHOWPOST (1)ad_footer_end (1)ad_footer_start (1)ad_header_end (1)ad_header_logo (1)ad_navbar_below (2)bbcode_code (1)footer (1)gobutton (1)header (1)headinclude (6)option (1)post_thanks_box (1)post_thanks_button (1)post_thanks_javascript (1)post_thanks_navbar_search (1)post_thanks_postbit_info (1)postbit (1)postbit_onlinestatus (1)postbit_wrapper (1)spacer_close (1)spacer_open Phrase Groups Available: global postbit reputationlevel showthread	Included Files: ./showpost.php ./global.php ./includes/init.php ./includes/class_core.php ./includes/config.php ./includes/functions.php ./includes/class_hook.php ./includes/modsystem_functions.php ./includes/functions_bigthree.php ./includes/class_postbit.php ./includes/class_bbcode.php ./includes/functions_reputation.php ./includes/functions_post_thanks.php Hooks Called: init_startup init_startup_session_setup_start init_startup_session_setup_complete cache_permissions fetch_postinfo_query fetch_postinfo fetch_threadinfo_query fetch_threadinfo fetch_foruminfo style_fetch cache_templates global_start parse_templates global_setup_complete showpost_start bbcode_fetch_tags bbcode_create postbit_factory showpost_post postbit_display_start post_thanks_function_post_thanks_off_start post_thanks_function_post_thanks_off_end post_thanks_function_fetch_thanks_start post_thanks_function_fetch_thanks_end post_thanks_function_thanked_already_start post_thanks_function_thanked_already_end fetch_musername postbit_imicons bbcode_parse_start bbcode_parse_complete_precache bbcode_parse_complete postbit_display_complete post_thanks_function_can_thank_this_post_start showpost_complete
Messages: