SQL ERROR 1064 - Think it is a single quote error

[alqadir]

Hi Guys,
I was hoping someone out there can help me out with this sql error I am having. I am thinking it has something to do with " ' " single quotes. In the code a user can input text into a text box. The data stored in this text box is assigned to a string variable,which is stored in the database via an sql statement. The code works fine until a " ' " is used in the text box.

Here is the error:

Code:

Database error in vBulletin 3.0.4:

Invalid SQL: 
                                INSERT INTO thread(title, lastpost, forumid, open, replycount,
                                postusername, postuserid, lastposter, dateline, iconid, visible, attach)
                                VALUES
                                        ('[Sell]  ADMS 2320 : Statistics for Man't and Econ Edition:6 Keller  ISBN: 0-534-39186-9   $80 ', 1135971661, 70,
                                         1, 0, 'ssrashid', 1383,
                                         'ssrashid', 1135971661, 0, 1,
                                         0)
                        
mysql error: You have an error in your SQL syntax.  Check the manual that corresponds to your MySQL server version for the right syntax to use near 't and Econ Edition:6 Keller  ISBN: 0-534-39186-9   $80 ', 11359

mysql error number: 1064

one solution might be to search the string for the invalid character.
is there a try catch routine with php?

[harmor19]

Is this from a custom script you made or from vbulletin itself?

[alqadir]

it is from an Erwin Form to Post hack.

[filburt1]

Escape quotes in all strings you use in the query. addslashes works but vB's MySQL class also has a method to do it.

vB's class uses:

PHP Code:

$db->escape_string($foo) 


[Paul M]

Does that exist in 3.0 ?

Nope, it was implemented with 3.5.