views:

19

answers:

1

hey, I'm trying to insert an embed code in my database, and it's giving me this error

Error adding new data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'movie.php?id=6001', 
            type = 'stream', 
            embed = '<object width=\"500\" he' at line 1

now this is the code i'm using :

            $sql = "INSERT INTO videos SET 
            title = '".mysql_escape_string($title)."', 
            urltitle = '".slug(mysql_escape_string($title))."', 
            description = '',
            category = 'streams', 
            first_img = '".mysql_escape_string($imgurl)."', 
            o_url = 'http://watchnewfilms.com/'".mysql_escape_string($thisUrl)."', 
            type = 'stream', 
            embed = '".mysql_escape_string($embed)."', 
            last_updated = '".date("Y-m-d")."', 
            date_added = '".date("Y-m-d")."'";

anyone see any problems?

Thanks!

+3  A: 

You should use mysql_real_escape_string()

and you should apply it on the whole value for full security and better readability.

In your case, you have an extra ' here:

    o_url = 'http://watchnewfilms.com/'".mysql_escape_string($thisUrl)."', 
    ----------------------------------^
Pekka
Wow, thanks for pointing that out!, and also whats the difference between mysql real escape string and just mysql escape string?
Belgin Fish
@Belgin `mysql_real_escape_string()` will work with a live database connection, and return the escaped result with respect to that connection's character set. `mysql_escape_string()` is [deprecated](http://www.php.net/manual/en/function.mysql-escape-string.php).
Pekka