Incorrect mySQL syntax error

Question

I have inherited a site that includes a bespoke CMS. I moved hosts and after the move, I now get this error when trying to update pages;

Query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Park Baptist Church

So, the application is failing when it hits a single quotation mark...

However, I can't pinpoint how to correct this.. the .sql file is as follows;

-- 
-- Table structure for table 'articles'
-- 

CREATE TABLE 'articles' (
  'article_id' int(11) NOT NULL auto_increment,
  'title' varchar(100) default NULL,
  'date' date NOT NULL,
  'publication' varchar(50) default NULL,
  'file' varchar(100) default NULL,
  PRIMARY KEY  ('article_id')
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

-- 
-- Dumping data for table 'articles'
-- 

-- 
-- Table structure for table 'course_into'
-- 

CREATE TABLE 'course_into' (
  'course_intro_id' int(11) NOT NULL auto_increment,
  'region_id' int(11) NOT NULL,
  'content' text,
  PRIMARY KEY  ('course_intro_id','region_id')
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

-- 
-- Dumping data for table 'course_into'
-- 
-- --------------------------------------------------------
-- 
-- Table structure for table 'courses'
-- 

CREATE TABLE 'courses' (
  'course_id' int(11) NOT NULL auto_increment,
  'region_id' int(11) NOT NULL,
  'date' date NOT NULL,
  'location' varchar(50) default NULL,
  'address' text,
  'instructor' varchar(50) default NULL,
  'organiser' varchar(50) default NULL,
  PRIMARY KEY  ('course_id','region_id')
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

-- 
-- Dumping data for table 'courses'
-- 


-- --------------------------------------------------------

-- 
-- Table structure for table 'coverages'
-- 

CREATE TABLE 'coverages' (
  'coverage_id' int(11) NOT NULL auto_increment,
  'title' varchar(100) default NULL,
  'date' date NOT NULL,
  'publication' varchar(50) default NULL,
  'file' varchar(100) default NULL,
  PRIMARY KEY  ('coverage_id')
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

-- 
-- Dumping data for table 'coverages'
-- 


-- --------------------------------------------------------

-- 
-- Table structure for table 'news'
-- 

CREATE TABLE 'news' (
  'news_id' int(11) NOT NULL auto_increment,
  'title' varchar(100) default NULL,
  'subdeck' varchar(100) default NULL,
  'date' date NOT NULL,
  'picture' varchar(50) default NULL,
  'content' text,
  PRIMARY KEY  ('news_id')
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

-- 
-- Dumping data for table 'news'
-- 


-- --------------------------------------------------------

-- 
-- Table structure for table 'open_days'
-- 

CREATE TABLE 'open_days' (
  'open_day_id' int(11) NOT NULL auto_increment,
  'region_id' int(11) NOT NULL,
  'date' date NOT NULL,
  'location' varchar(50) default NULL,
  'address' text,
  'instructor' varchar(50) default NULL,
  'organiser' varchar(50) default NULL,
  PRIMARY KEY  ('open_day_id','region_id')
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

-- 
-- Dumping data for table 'open_days'
-- 


-- --------------------------------------------------------

-- 
-- Table structure for table 'people_regions'
-- 

CREATE TABLE 'people_regions' (
  'region_id' int(11) NOT NULL auto_increment,
  'region' varchar(50) NOT NULL,
  PRIMARY KEY  ('region_id')
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=5 ;

-- 
-- Dumping data for table 'people_regions'
-- 

INSERT INTO 'people_regions' ('region_id', 'region') VALUES 
(1, 'UK'),
(2, 'Ireland'),
(3, 'Australia'),
(4, 'South Africa');

-- --------------------------------------------------------



-- 


-- 
-- Table structure for table 'regions'
-- 

CREATE TABLE 'regions' (
  'region_id' int(11) NOT NULL auto_increment,
  'region' varchar(50) NOT NULL,
  PRIMARY KEY  ('region_id')
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=10 ;

-- 
-- Dumping data for table 'regions'
-- 

INSERT INTO 'regions' ('region_id', 'region') VALUES 
(1, 'UK North'),
(2, 'UK South'),
(3, 'Ireland'),
(4, 'US'),
(5, 'Scandinavia'),
(6, 'Holland'),
(7, 'South Africa'),
(8, 'Australia'),
(9, 'New Zealand');

-- --------------------------------------------------------


-- --------------------------------------------------------

-- 
-- Table structure for table 'section_subset'
-- 

CREATE TABLE 'section_subset' (
  'section_id' int(11) NOT NULL,
  'subset_id' int(11) NOT NULL,
  PRIMARY KEY  ('section_id','subset_id')
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

-- 
-- Dumping data for table 'section_subset'
-- 

INSERT INTO 'section_subset' ('section_id', 'subset_id') VALUES 
(1, 1),
(1, 2),
(1, 3);

-- --------------------------------------------------------

-- 
-- Table structure for table 'sections'
-- 

CREATE TABLE 'sections' (
  'section_id' int(11) NOT NULL auto_increment,
  'name' varchar(50) NOT NULL,
  PRIMARY KEY  ('section_id')
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=8 ;

-- 
-- Dumping data for table 'sections'
-- 

INSERT INTO 'sections' ('section_id', 'name') VALUES 
(1, 'about us'),
(2, 'courses'),
(3, 'people'),
(4, 'media'),
(5, 'FAQs'),
(6, 'links'),
(7, 'contact us');

-- --------------------------------------------------------

-- 
-- Table structure for table 'subsets'
-- 

CREATE TABLE 'subsets' (
  'subset_id' int(11) NOT NULL auto_increment,
  'name' varchar(50) NOT NULL,
  'content' text,
  PRIMARY KEY  ('subset_id')
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=7 ;

-- 
-- Dumping data for table 'subsets'
-- 

INSERT INTO 'subsets' ('subset_id', 'name', 'content') VALUES 
(1, 'our approach', '<p>our approach content goes here</p>'),
(2, 'what to expect', '<p>what to expect content goes here</p>'),
(3, 'fees', '<p>fees content goes here</p>'),
(4, 'FAQs', '                faq content goes here                '),
(5, 'Links', 'links content goes here'),
(6, 'Links sidebar', 'external links to blogs');

-- --------------------------------------------------------

-- 
-- Table structure for table 'support_groups'
-- 

CREATE TABLE 'support_groups' (
  'support_group_id' int(11) NOT NULL auto_increment,
  'region_id' int(11) NOT NULL,
  'content' text,
  PRIMARY KEY  ('support_group_id','region_id')
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

-- 
-- Dumping data for table 'support_groups'
-- 


-- --------------------------------------------------------

-- 
-- Table structure for table 'techs'
-- 

CREATE TABLE 'techs' (
  'tech_id' int(11) NOT NULL auto_increment,
  'news_id' int(11) NOT NULL,
  'tech' varchar(100) default NULL,
  PRIMARY KEY  ('tech_id','news_id')
) ENGINE=InnoDB DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

-- 
-- Dumping data for table 'techs'
-- 


-- --------------------------------------------------------

The code for that update page in the CMs is as follows;

    <?php 
include('global.php');

include('../inc/config.php');
include('../inc/functions.php');

connect_db();

$id = !empty($_GET['id']) ? $_GET['id'] : 1;

if (!empty($_POST['id'])) {
    $id = $_POST['id'];
}

/**restrict for region access   **/
//check user region
if (!empty($_SESSION['region'])) {
    $query = "SELECT * FROM regions WHERE region = '".$_SESSION['region']."'";
    $result = mysql_query($query) or die('Query failed: ' . mysql_error());
    $row = mysql_fetch_array($result);
    $id = $row['region_id'];
}
//end region access//

/////////////////////////////////////////////////////////

if (isset($_POST['update']) && empty($_POST['section'])) {

    $intro = $_POST['intro'];
    $date = $_REQUEST['year']."-".$_REQUEST['month']."-".$_REQUEST['day'];
    $location = $_REQUEST['location'];
    $address = $_REQUEST['address'];
    $instructor = $_POST['instructor'];
    $organiser = $_POST['organiser'];
    $tel = $_POST['tel'];
    $support = $_REQUEST['support'];


    $query = "UPDATE course_intro SET content = '$intro' WHERE region_id = $id";
    $result = mysql_query($query) or die('Query failed: ' . mysql_error());
    /*
    $query = "UPDATE open_days SET date='$date', location='$location', address='$address', instructor='$instructor', organiser='$organiser', tel='$tel' WHERE region_id = $id";
    $result = mysql_query($query) or die('Query failed: ' . mysql_error());
    */

    $query = "UPDATE support_groups SET content = '$support' WHERE region_id = $id";
    $result = mysql_query($query) or die('Query failed: ' . mysql_error());

}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt;
<html xmlns="http://www.w3.org/1999/xhtml"&gt;
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>admin</title>
<link href="../inc/css/admin.css" rel="stylesheet" type="text/css" />
<!--[if IE 7]><style type="text/css">@import '../inc/css/ie7.css';</style><![endif]-->
<!--[if IE 6]><style type="text/css">@import '../inc/css/ie6.css';</style><![endif]-->
<script language="javascript" src="../inc/tiny_mce/tiny_mce.js"></script>
<script language="javascript" src="../inc/tiny_mce/tiny_mce_config.js"></script>

</head>

<body class="thrColFixHdr">

<div id="container">
  <div id="header">
       <h1><a href="index.php">ADMIN PAGE</a></h1>
<?php
    if(!strstr($_SERVER['PHP_SELF'], 'login.php')) {
        echo '<p><a href="../index.php">[ view the site ]</a> ';

        if ($_SESSION['admin']) {
            echo '<a href="manage_users.php">[ manage users ]</a> ';
        }

        echo '<a href="logout.php">[ logout ]</a> &nbsp;<p>';
    }
?>
        <div id="navi">
        <?php include('navi.php'); ?>
        <!-- end #navi --></div>
  <!-- end #header --></div>
  <div id="sidebar1">
     <ul>
     <?php

    $query = "SELECT * FROM regions";

    $result = mysql_query($query) or die('Query failed: ' . mysql_error());

        while($row = mysql_fetch_array($result)) {  
            if ($id == $row['region_id']) {
                echo "<li><a href='?id=".$row['region_id']."' class='current'>".$row['region']."</a></li>\n";
                $region = $row['region'];
            }
            else {
                echo "<li><a href='?id=".$row['region_id']."'>".$row['region']."</a></li>\n";
            }
        }

    mysql_free_result($result);

      ?>
     </ul>
  <!-- end #sidebar1 --></div>
  <div id="mainContent2">
  <h1> Course - <?= $region ?> </h1>

  <?php 
 //course 
  if ($_GET['section'] == 'course' || $_POST['section'] == 'course' ) {
        if (!empty($_GET['add'])) {
            print_add_form();
        }
        else if (!empty($_GET['e_id'])) {
            print_edit_form();
        }
        else {
            if (isset($_POST['add'])){
                add_item();
            }
            if (!empty($_GET['d_id'])) {
                delete_item();
            }
            if (isset($_POST['update'])){
                update_item();
            }

            list_item();
        }
  }

 //report
  else if ($_GET['section'] == 'report' || $_POST['section'] == 'report' ) {
        if (!empty($_GET['add'])) {
            print_add_report_form();
        }
        else if (!empty($_GET['e_id'])) {
            print_edit_report_form();
        }
        else {
            if (isset($_POST['add'])){
                add_report();
            }
            if (!empty($_GET['d_id'])) {
                delete_report();
            }
            if (isset($_POST['update'])){
                update_report();
            }

            list_report();
        }
  }

   //open days
  else if ($_GET['section'] == 'days' || $_POST['section'] == 'days' ) {
        if (!empty($_GET['add'])) {
            print_add_days_form();
        }
        else if (!empty($_GET['e_id'])) {
            print_edit_days_form();
        }
        else {
            if (isset($_POST['add'])){
                add_days();
            }
            if (!empty($_GET['d_id'])) {
                delete_days();
            }
            if (isset($_POST['update'])){
                update_days();
            }

            list_days();
        }
  }

//main info
  else{
  ?>
    <a href='?id=<?= $id ?>&section=course'>[ manage courses ]</a>
    <a href='?id=<?= $id ?>&section=report'>[ manage course reports ]</a>
    <a href='?id=<?= $id ?>&section=days'>[ manage events ]</a>
    <form action="<?=$_SERVER['PHP_SELF'] ?>" method="post">

    <h2>Intro</h2>
    <p><textarea cols="60" rows="30" name="intro">
    <?php

    $query = "SELECT * FROM course_intro WHERE region_id = $id";
    $result = mysql_query($query) or die('Query failed: ' . mysql_error());
    $row = mysql_fetch_array($result);
    mysql_free_result($result);

    echo $row['content'];
    ?>
    </textarea></p>

    <h2>Support groups</h2>
    <p><textarea cols="60" rows="10" name="support">
    <?php

    $query = "SELECT * FROM support_groups WHERE region_id = $id";
    $result = mysql_query($query) or die('Query failed: ' . mysql_error());
    $row = mysql_fetch_array($result);
    mysql_free_result($result);

    echo $row['content'];
    ?>
    </textarea></p>

    <input type="hidden" name="id" value="<?= $id ?>" />
    <input type="submit" name="update" value="Update" />
    </form> 

    <?php  } ?>



        <!-- end #mainContent --></div>
    <!-- This clearing element should immediately follow the #mainContent div in order to force the #container div to contain all child floats --><br class="clearfloat" />
  <div id="footer">
     <?php include('footer.php'); ?>
  <!-- end #footer --></div>
<!-- end #container --></div>
</body>
</html>

<?php
//course
///////////////////////////////////
function list_item() {
        global $id;
        connect_db();

        $query = "SELECT * FROM courses WHERE region_id = $id";
        $result = mysql_query($query) or die('Query failed: ' . mysql_error());

        echo "<h2>Courses</h2>";
        echo "<table>";
        echo "<tr>";
        echo "<th>Duration</th>";
        echo "<th>Location</th>";
        echo "<th>&nbsp;</th>";
        echo "</tr>";
        while($row = mysql_fetch_array($result)){
            echo "<tr>";
            echo "<td>".convert_date($row['start_date'])." - ".convert_date($row['end_date'])."</td>";
            echo "<td>".$row['location']."</td>";
            echo "<td><a href='?id=$id&section=course&e_id=".$row['course_id']."'>[Edit]</a> ";
            echo "<a href='?id=$id&section=course&d_id=".$row['course_id']."'>[Del]</a>";
            echo "</td>";
            echo "</tr>";
        }
        echo "<tr align='right'><td colspan='3'><a href='?id=$id&section=course&add=true'>[Add]</a></td></tr>";
        echo "</table>";

        mysql_free_result($result);
}

function print_add_form() {
    global $id;
    connect_db();

    echo "<form action='".$_SERVER['PHP_SELF']."' method='POST'>";
    echo "<p>".print_sdate_options('', '', '')."</p>";
    echo "<p>".print_edate_options('', '', '')."</p>";
    echo "<p>Location: <input type='text' name='location' /></p>";
    echo "<p>Address:<br /><textarea cols='60' rows='10' name='address'></textarea></p>";
    echo "<p>Instructor: <input type='text' name='instructor' /></p>";
    echo "<p>Organiser: <input type='text' name='organiser' /></p>";
    echo "<p>Tel: <input type='text' name='tel' /></p>";    
    echo "<p><input type='submit' name='add' value='add' /></p>";
    echo "<input type='hidden' name='id' value='$id'>";
    echo "<input type='hidden' name='section' value='course'>";
    echo "</form>";
}

function add_item() {
    $start_date = $_REQUEST['s_year']."-".$_REQUEST['s_month']."-".$_REQUEST['s_day'];
    $end_date = $_REQUEST['e_year']."-".$_REQUEST['e_month']."-".$_REQUEST['e_day'];
    $location = $_POST['location'];
    $address = $_POST['address'];
    $instructor = $_POST['instructor'];
    $organiser = $_POST['organiser'];
    $tel = $_POST['tel'];

    global $id;
    connect_db();

    $query = "INSERT INTO courses VALUES(null, $id, '$start_date', '$end_date', '$location', '$address', '$instructor', '$organiser', '$tel')";
    $result = mysql_query($query) or die('Query failed: ' . mysql_error());

}

function delete_item() {
    global $id;
    connect_db();

    $query = "DELETE FROM courses WHERE course_id =".$_GET['d_id'];
    $result = mysql_query($query) or die('Query failed: ' . mysql_error());

}

function print_edit_form() {
    global $id;
    connect_db();

    $query = "SELECT * FROM courses WHERE course_id =".$_GET['e_id'];
    $result = mysql_query($query) or die('Query failed: ' . mysql_error());
    $row = mysql_fetch_array($result);

    $s_day = substr($row['start_date'], 8, 2) ;
    $s_month = substr($row['start_date'], 5, 2);
    $s_year = substr($row['start_date'], 0, 4);

    $e_day = substr($row['end_date'], 8, 2) ;
    $e_month = substr($row['end_date'], 5, 2);
    $e_year = substr($row['end_date'], 0, 4);

    echo "<form enctype='multipart/form-data' action='".$_SERVER['PHP_SELF']."' method='POST'>";
    echo "<p>".print_sdate_options($s_day, $s_month, $s_year)."</p>";
    echo "<p>".print_edate_options($e_day, $s_month, $s_year)."</p>";
    echo "<p>Location: <input type='text' name='location' value='".$row['location']."' /></p>";
    echo "<p>Address:<br /><textarea cols='60' rows='10' name='address'>".$row['address']."</textarea></p>";
    echo "<p>Instructor: <input type='text' name='instructor' value='".$row['instructor']."' /></p>";
    echo "<p>Organiser: <input type='text' name='organiser' value='".$row['organiser']."' /></p>";
    echo "<p>Tel: <input type='text' name='tel' value='".$row['tel']."' /></p>";    
    echo "<p><input type='submit' name='update' value='update' /></p>";
    echo "<input type='hidden' name='id' value='$id'>";
    echo "<input type='hidden' name='u_id' value='".$row['course_id']."'>";
    echo "<input type='hidden' name='section' value='course'>";
    echo "</form>";
}

function update_item() {
    $start_date = $_REQUEST['s_year']."-".$_REQUEST['s_month']."-".$_REQUEST['s_day'];
    $end_date = $_REQUEST['e_year']."-".$_REQUEST['e_month']."-".$_REQUEST['e_day'];
    $location = $_POST['location'];
    $address = $_POST['address'];
    $instructor = $_POST['instructor'];
    $organiser = $_POST['organiser'];
    $tel = $_POST['tel'];

    global $id;
    connect_db();

    $query = "UPDATE courses SET start_date='$start_date', end_date='$end_date', location='$location', address='$address', instructor='$instructor', organiser='$organiser', tel='$tel' WHERE course_id=".$_POST['u_id'];
    $result = mysql_query($query) or die('Query failed: ' . mysql_error());

}

//reports
/////////////////////////////////////////////////////

function list_report() {
        global $id;
        connect_db();

        $query = "SELECT * FROM reports WHERE region_id = $id";
        $result = mysql_query($query) or die('Query failed: ' . mysql_error());

        echo "<h2>Course Reports</h2>";
        echo "<table>";
        echo "<tr>";
        echo "<th>Date</th>";
        echo "<th>Location</th>";
        echo "<th>&nbsp;</th>";
        echo "</tr>";
        while($row = mysql_fetch_array($result)){
            echo "<tr>";
            echo "<td>".convert_date($row['date'])."</td>";
            echo "<td>".$row['location']."</td>";
            echo "<td><a href='?id=$id&section=report&e_id=".$row['report_id']."'>[Edit]</a> ";
            echo "<a href='?id=$id&section=report&d_id=".$row['report_id']."'>[Del]</a>";
            echo "</td>";
            echo "</tr>";
        }
        echo "<tr align='right'><td colspan='4'><a href='?id=$id&section=report&add=true'>[Add]</a></td></tr>";
        echo "</table>";

        mysql_free_result($result);
}

function print_add_report_form() {
    global $id;
    connect_db();

    echo "<form action='".$_SERVER['PHP_SELF']."' method='POST'>";
    echo "<p>".print_date_options('', '', '')."</p>";
    echo "<p>Location: <input type='text' name='location' /></p>";
    echo "<p>Content:<br /> <textarea cols='60' rows='30' name='content'></textarea></p>";  
    echo "<p><input type='submit' name='add' value='add' /></p>";
    echo "<input type='hidden' name='id' value='$id'>";
    echo "<input type='hidden' name='section' value='report'>";
    echo "</form>";
}

function add_report() {
    $date = $_REQUEST['year']."-".$_REQUEST['month']."-".$_REQUEST['day'];
    $location = $_POST['location'];
    $content = $_POST['content'];

    global $id;
    connect_db();

    $query = "INSERT INTO reports VALUES(null, $id, '$date', '$location', '$content')";
    $result = mysql_query($query) or die('Query failed: ' . mysql_error());

}

function delete_report() {
    global $id;
    connect_db();

    $query = "DELETE FROM reports WHERE report_id =".$_GET['d_id'];
    $result = mysql_query($query) or die('Query failed: ' . mysql_error());

}

function print_edit_report_form() {
    global $id;
    connect_db();

    $query = "SELECT * FROM reports WHERE report_id =".$_GET['e_id'];
    $result = mysql_query($query) or die('Query failed: ' . mysql_error());
    $row = mysql_fetch_array($result);

    $day = substr($row['date'], 8, 2) ;
    $month = substr($row['date'], 5, 2);
    $year = substr($row['date'], 0, 4);

    echo "<form action='".$_SERVER['PHP_SELF']."' method='POST'>";
    echo "<p>".print_date_options($day, $month, $year)."</p>";
    echo "<p>Location: <input type='text' name='location' value='".$row['location']."' /></p>";
    echo "<p>Content:<br /> <textarea cols='60' rows='30' name='content'>".$row['content']."</textarea></p>";   
    echo "<p><input type='submit' name='update' value='update' /></p>";
    echo "<input type='hidden' name='id' value='$id'>";
    echo "<input type='hidden' name='u_id' value='".$row['report_id']."'>";
    echo "<input type='hidden' name='section' value='report'>";
    echo "</form>";
}

function update_report() {
    $date = $_REQUEST['year']."-".$_REQUEST['month']."-".$_REQUEST['day'];
    $location = $_POST['location'];
    $content = $_POST['content'];


    global $id;
    connect_db();

    $query = "UPDATE reports SET date='$date', location='$location', content='$content' ";                      $query .= "WHERE report_id = ".$_POST['u_id'];
    $result = mysql_query($query) or die('Query failed: ' . mysql_error());

}

//open days
/////////////////////////////////////////////////////

function list_days() {
        global $id;
        connect_db();

        $query = "SELECT * FROM open_days WHERE region_id = $id";
        $result = mysql_query($query) or die('Query failed: ' . mysql_error());

        echo "<h2>Events</h2>";
        echo "<table>";
        echo "<tr>";
        echo "<th>Date</th>";
        echo "<th>Title</th>";
        echo "<th>&nbsp;</th>";
        echo "</tr>";
        while($row = mysql_fetch_array($result)){
            echo "<tr>";
            echo "<td>".convert_date($row['date'])."</td>";
            echo "<td>".$row['title']."</td>";
            echo "<td><a href='?id=$id&section=days&e_id=".$row['open_day_id']."'>[Edit]</a> ";
            echo "<a href='?id=$id&section=days&d_id=".$row['open_day_id']."'>[Del]</a>";
            echo "</td>";
            echo "</tr>";
        }
        echo "<tr align='right'><td colspan='4'><a href='?id=$id&section=days&add=true'>[Add]</a></td></tr>";
        echo "</table>";

        mysql_free_result($result);
}

function print_add_days_form() {
    global $id;
    connect_db();

    echo "<form enctype='multipart/form-data' action='".$_SERVER['PHP_SELF']."' method='POST'>";
    echo "<p>".print_date_options('', '', '')."</p>";
    echo "<p>Title: <input type='text' name='title' size='50' /></p>";
    echo "<p>Info:<br /><textarea cols='60' rows='10' name='info'></textarea></p>";
    echo "<p><input type='submit' name='add' value='add' /></p>";
    echo "<input type='hidden' name='id' value='$id'>";
    echo "<input type='hidden' name='section' value='days'>";
    echo "</form>";
}

function add_days() {
    $date = $_REQUEST['year']."-".$_REQUEST['month']."-".$_REQUEST['day'];
    $title = $_REQUEST['title'];
    $info = $_REQUEST['info'];

    global $id;
    connect_db();

    $query = "INSERT INTO open_days VALUES(null, $id, '$date', '$title', '$info')";
    $result = mysql_query($query) or die('Query failed: ' . mysql_error());

}

function delete_days() {
    global $id;
    connect_db();

    $query = "DELETE FROM open_days WHERE open_day_id =".$_GET['d_id'];
    $result = mysql_query($query) or die('Query failed: ' . mysql_error());

}

function print_edit_days_form() {
    global $id;
    connect_db();

    $query = "SELECT * FROM open_days WHERE open_day_id =".$_GET['e_id'];
    $result = mysql_query($query) or die('Query failed: ' . mysql_error());
    $row = mysql_fetch_array($result);

    $day = substr($row['date'], 8, 2) ;
    $month = substr($row['date'], 5, 2);
    $year = substr($row['date'], 0, 4);

    echo "<form action='".$_SERVER['PHP_SELF']."' method='POST'>";
    echo "<p>".print_date_options($day, $month, $year)."</p>";
    echo "<p>Title: <input type='text' size='50' name='title' value='".$row['title']."'/></p>";
    echo "<p>Info:<br /><textarea cols='60' rows='10' name='info'>".$row['info']."</textarea></p>";
    echo "<p><input type='submit' name='update' value='update' /></p>";
    echo "<input type='hidden' name='id' value='$id'>";
    echo "<input type='hidden' name='u_id' value='".$row['open_day_id']."'>";
    echo "<input type='hidden' name='section' value='days'>";
    echo "</form>";
}

function update_days() {
    $date = $_REQUEST['year']."-".$_REQUEST['month']."-".$_REQUEST['day'];
    $title = $_REQUEST['title'];
    $info = $_REQUEST['info'];

    global $id;
    connect_db();


    $query = "UPDATE open_days SET date='$date', title='$title', info='$info' WHERE open_day_id = ".$_POST['u_id'];

    $result = mysql_query($query) or die('Query failed: ' . mysql_error());

}


?>

Sorry for the obtuse code dump but I thought it's best to give a complete picture..

Any guidance greatly appreciated...

Answer 1

This error message means that your single quotes aren't being escaped properly. So someone has entered Saint David's Park Baptist Church or something like that and it has ended up being sent to MySQL as is. I suspect that some server setting such as magic quotes is different between the 2 servers.

I also suspect that your code may be vulnerable to SQL injection if you are just relying on magic quotes but don't know enough about PHP to know what the best practices are. Edit: I think Flakron's answer covers that.

Answer 2

don't forget to escape input, this way you protect your database from sql injects and this error that you are having e.g

$intro = mysql_real_escape_string($_POST['intro']);

Answer 3

right syntax to use near 's Park Baptist Church

Is a dead giveaway that you have an SQL injection problem. Apart from making it impossible to use values with apostrophes in, this can also be a serious security issue, if untrusted user input ever makes it into one of those strings.

$query = "SELECT * FROM regions WHERE region = '".$_SESSION['region']."'";

Yeah, that's super-broken. You must use mysql_real_escape_string() on any text content you are attempting to insert into an SQL string literal. Every single one of your queries appears to be vulnerable.

You can write a shorthand function to save typing:

function m($s) {
    return "'".mysql_real_escape_string($s)."'";
}

$query= 'SELECT * FROM regions WHERE region='.m($_SESSION['region']);

In the longer term, consider using parameterised queries (mysqli or PDO), which avoid string-escaping issues.

This should never have worked before, but might have been hidden by a magic_quotes_gpc deployment option on the old server. However this option is acknowledged by the PHP devs as a horrible mistake. Whilst you could try turning it on as a temporary measure until you have audited all the SQL in the application (or until it is removed from PHP, whichever comes first), it will typically introduce further errors, and often fail to actually secure the application.

Also everywhere you put an arbitrary string into HTML, you need to be calling htmlspecialchars(). Otherwise, any < or & characters in the text are going to cause problems, and again if user input is involved you have a cross-site-scripting security mess. Just flicking through, this definitely has user input:

echo "<form action='".$_SERVER['PHP_SELF']."' method='POST'>";

this is a very common HTML-injection hole; the user can put an apostrophe in the URL, causing PHP_SELF to break out of the action attribute and allow an attacker to inject script content into the document.

Also, just on a quick flick through, you've got unescaped & characters in href attributes (&sect in particular can cause you problems as there is an HTML entity with that name), and the interposition of active PHP code and output HTML makes the application desperately unmaintainable.

In short, the application you have been handed is a horror of the worst kind, exhibiting pretty much every anti-pattern excreted by naïve PHP beginners. Consider re-writing, and further consider applying physical violence to the perpetrator.