bitit.it 0 Posted August 9 i must put a slash before type ' otherwise i have a SQL error Share this post Link to post Share on other sites
stefan1959 4 Posted August 9 I get the same 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'test')' at line 1 insert into reviews_description (reviews_id, languages_id, reviews_text) values ('2', '1', 'test'test') Steve Share this post Link to post Share on other sites
kgtee 30 Posted August 10 This has to do with the PHP MagicQuote setting when you are running PHP 5.4 and below. More info: https://www.php.net/manual/en/security.magicquotes.php Share this post Link to post Share on other sites
stefan1959 4 Posted August 10 1 hour ago, kgtee said: This has to do with the PHP MagicQuote setting when you are running PHP 5.4 and below. More info: https://www.php.net/manual/en/security.magicquotes.php I'm running 7.2 Server Information Server OS: Linux 3.10.0-957.27.2.el7.x86_64 Database: MySQL 5.5.60-MariaDB Server Date: 2019-08-10 13:47:49 +1000 AEST Database Date: 2019-08-10 13:47:49 HTTP Server: Apache/2.4.6 PHP Version: 7.2.10 (Zend: 3.2.0) Share this post Link to post Share on other sites
kgtee 30 Posted August 10 @stefan1959 Check with your web host, they probably have their own way to implement magic quote. Ask them to turn off if possible. Share this post Link to post Share on other sites
stefan1959 4 Posted August 10 I'm running a VPS soI'm running the server myself, its not hosted. I check the php.ini, no magic quote. Would CE v1 even run on php5.4? Share this post Link to post Share on other sites
stefan1959 4 Posted August 10 Ok, I fixed the error, maybe the line needs a review? Line 55 of /admin/reviews.php from tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')"); tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')"); tep_db_input() seems to fix error. Steve 2 raiwa and kgtee reacted to this Share this post Link to post Share on other sites
bitit.it 0 Posted August 10 3 hours ago, kgtee said: @stefan1959 Check with your web host, they probably have their own way to implement magic quote. Ask them to turn off if possible. magic quote isn't safely is deprecate from a lot of years Enrico Share this post Link to post Share on other sites
bitit.it 0 Posted August 10 (edited) 2 hours ago, stefan1959 said: Ok, I fixed the error, maybe the line needs a review? Line 55 of /admin/reviews.php from tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')"); tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')"); tep_db_input() seems to fix error. Steve i'll try it. i'm not so expert of oscommerce code but i believe is only two solutions or use "prepare" but i never used it with mysqli only in PDO , or we must cleaning the string by dangers types usually i use addslash or htmlspecialchars; In this way if danger also for SQL injection . Enrico Edited August 10 by bitit.it Share this post Link to post Share on other sites
stefan1959 4 Posted August 10 Only one solution, sorry that should have a read from tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");to tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')"); The code is safe from injection as far as what i seen, they created functions to do that in /includes/functions/database.php I'm no expert either so maybe i can be corrected Steve Share this post Link to post Share on other sites
♥JcMagpie 1,430 Posted August 10 Just tested on Phoenix 1.0.1.4 running on php 7.3 and it shows no SQL issues works fine, no errors logged. Share this post Link to post Share on other sites
bitit.it 0 Posted August 10 26 minutes ago, stefan1959 said: Only one solution, sorry that should have a read from tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");to tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')"); The code is safe from injection as far as what i seen, they created functions to do that in /includes/functions/database.php I'm no expert either so maybe i can be corrected Steve Yes, thank you seem work properly Enrico Share this post Link to post Share on other sites
stefan1959 4 Posted August 10 I get a error a add that text with tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')"); 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's the best ...')' at line 1 insert into reviews_description (reviews_id, languages_id, reviews_text) values ('10', '1', 'Lovely bunch of crunchy apples and delivered very quickly. Thank You! it's the best ...') Too much for me to work out why. Is there a way for me to view what being put into $review Steve Share this post Link to post Share on other sites
♥JcMagpie 1,430 Posted August 10 23 minutes ago, stefan1959 said: Is there a way for me to view what being put into $review I belive $review is simply an array of the review text from you database. So if you check you db it should show you what text is in each review. Share this post Link to post Share on other sites
kgtee 30 Posted August 10 26 minutes ago, stefan1959 said: I get a error a add that text with tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')"); 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's the best ...')' at line 1 insert into reviews_description (reviews_id, languages_id, reviews_text) values ('10', '1', 'Lovely bunch of crunchy apples and delivered very quickly. Thank You! it's the best ...') Too much for me to work out why. Is there a way for me to view what being put into $review Steve Is this error coming from the file on the shop side? Share this post Link to post Share on other sites
stefan1959 4 Posted August 10 (edited) Not shop side, only in the admin section. I can write the same text fine in the shop side. Updating text works fine on admin side too. Steve Edited August 10 by stefan1959 Share this post Link to post Share on other sites
ArtcoInc 309 Posted August 10 6 hours ago, stefan1959 said: I get a error a add that text with tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')"); 1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's the best ...')' at line 1 insert into reviews_description (reviews_id, languages_id, reviews_text) values ('10', '1', 'Lovely bunch of crunchy apples and delivered very quickly. Thank You! it's the best ...') Too much for me to work out why. Is there a way for me to view what being put into $review Steve What this is saying is ... you are inserting data into the table reviews_description. The data to be inserted is surrounded by single quotes. Unfortunately, the code thinks that the apostrophe in the word it's is the end of the data, and doesn't know what to do with the remaining 's the best ...' Now, how to solve this ... I don't know. M Get the latest Responsive osCommerce CE (community edition) here . Share this post Link to post Share on other sites
♥raiwa 1,088 Posted August 10 8 hours ago, stefan1959 said: Only one solution, sorry that should have a read from tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");to tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')"); The code is safe from injection as far as what i seen, they created functions to do that in /includes/functions/database.php I'm no expert either so maybe i can be corrected Steve this solution should do it 1 ArtcoInc reacted to this About Me: http://forums.oscommerce.com/user/249059-raiwa/ Need help? See this thread and provide the information requested. Is your version of osC up to date? You'll find the latest osC community version (CE Pheonix 1.0.0.0) here. Share this post Link to post Share on other sites
ArtcoInc 309 Posted August 10 @burt Do we need to post this in the Phoenix bug list thread? Get the latest Responsive osCommerce CE (community edition) here . Share this post Link to post Share on other sites
burt 3,847 Posted August 10 Github -> Issues If someone wants to raise it as an issue I'll get around to it at some point. This is a signature that appears on all my posts. IF YOU MAKE A POST REQUESTING HELP...please state the exact version of osCommerce that you are using. THANKS Get the latest Responsive osCommerce CE (community edition) here Share this post Link to post Share on other sites
ruden 15 Posted August 10 (edited) fix escape string https://github.com/gburton/CE-Phoenix/pull/777/commits/830a9e9e6525993fafa16ab83cacb6297ad751a1 Edited August 10 by ruden 2 1 stefan1959, ArtcoInc and Dan Cole reacted to this Share this post Link to post Share on other sites