0

I keep getting this error message
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Hits and had 24,000 listener sessions; over 30 days. Get 5 commercials a day' at line 7

<!DOCTYPE html>
<?PHP error_reporting(0); session_start();
/**This file copyright (C) 2010 Mal Sorrell (admin@phpvalley.com)
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 */
 include("php/submit_job_content.php");
?>
<div class="ed_profile">
<div class="akform">
<div id="allFields">
<div class="fields">
<form name="willdo" method="post" action="" ENCTYPE = "multipart/form-data" onsubmit="return checkform(this);">
<div class="field"><label><?PHP echo $lang['JOB_TITLE']?>:<span class="mandatory">*</span><br><h2><?PHP echo $lang['I_WILL']?>: <input class="textfield" name="willdo" type="text" value="<? echo $_POST['willdo']?>"/></h2> </label>
<div class="Limit"><div id='willdo-status'></div></div></div>
<div class="field"><label><?PHP echo $lang['CATEGORY']?>:<span class="mandatory">*</span> <?PHP echo $lang['CHOOSE_CAT']?>.</label>
<div class="fieldInput" id="email">
<?PHP
$sql = mysql_query("SELECT * FROM `categories` order by catname asc");
print "<select class=\"textfield\"  name=\"category\">\n";
$catname = $_POST['catname'];
while ($row = mysql_fetch_assoc($sql)){
$catname = $row['catname'];
print "<option value=\"$catname\">$catname\n</option>";
}
print "</select>\n";
?>
</div></div>
<div class="field"><label><?PHP echo $lang['MAKE_FEATURED']?>: <?PHP echo $lang['WE_CHARGE']?> <?PHP echo $featured_fee ?>% <?PHP echo $lang['FOR_FEATURED']?><span class="mandatory">*</span></label>
<div class="fieldInput" id="featured">
<select class="textfield" name="featured">
<option value="no"><?PHP echo $lang['NO']?></option>
<option value="yes"><?PHP echo $lang['YES']?></option>
</select>
</div>
</div>
<div class="field"><label><?PHP echo $lang['JOB_PRICE']?>:<span class="mandatory">*</span></label>
<div class="fieldInput" id="email">
<select class="textfield"  name="job_cost">
<?PHP
$price_range = htmlentities($price_range, ENT_QUOTES);
$kws = explode(",",$price_range);
foreach ($kws AS $a_kw) {
echo "<option value='".$a_kw."' >".$currency_symbol." ".$a_kw."</option> ";
}
?>
</select>
</div>
</div>
<div class="field">
<label><?PHP echo $lang['LINK']?>:<span class="mandatory">*</span> <?PHP echo $lang['LINK_TO_WEB']?> http://www.example.com.</label>
<div class="fieldInput" id="phone">
<input class="textfield"  name="link" type="text" />
</div></div>
<div class="field">
<label><?PHP echo $lang['VIDEO']?> <?PHP echo $lang['LINK']?>:<span class="mandatory">*</span> <?PHP echo $lang['LINK_TO_VIDEO']?> http://www.youtube.com/v/OVNZ3rX4a54</label>
<div class="fieldInput" id="phone">
<input class="textfield" name="video_link" type="text" />
</div></div>
<div class="field">
<label><?PHP echo $lang['DESCRIPTION']?>(include, For a $____ tip):<span class="mandatory">*</span> <?PHP echo $lang['BE_DESC']?></label>
<div class="fieldInput" id="phone">
<textarea name="job_description" class="textarea" rows="10" cols="75"></textarea><div class="Limit"><div id='job_description-status'></div></div>
</div></div>
<div class="field">
<label><?PHP echo $lang['KEYWORDS']?>:<span class="mandatory">*</span> <?PHP echo $lang['ENTER_KEYS']?></label>
<div class="fieldInput" id="phone">
<input class="textfield" name="keywords" type="text" />
</div></div>
<div class="field">
<label><?PHP echo $lang['MAX_DAYS']?>:<span class="mandatory">*</span> <?PHP echo $lang['MAX_TIME']?></label><input class="textfield" name="time_span" type="text" />
<div class="fieldInput" id="phone">
</div></div>
<div class="field">
<label><?PHP echo $lang['JOB_IMG']?>:<span class="mandatory">*</span> <?PHP echo $lang['IMG_RULES']?>,
<?PHP echo $lang['IMG_SIZE']?></label>
<div class="fieldInput" id="phone"><input name="img_path" type="file" class="textfield" size="35"/></div>
<input type="hidden" name="username" value="<? echo $username?>" />
<?PHP $settings = mysql_query("select * from members where username='".$_SESSION['userName']."'");
while ($rows = mysql_fetch_array($settings)){
$email = mysql_real_escape_string($rows['email']);
$ppemail = mysql_real_escape_string($rows['ppemail']);
}
if((!$ppemail) == 1 OR (!$email) == 1){
?>
<div align="right"><img src="images/disabled.jpg" onClick="return confirmSubmitt()"/></div>
<?PHP } else {?>
<div align="right"><input type="submit" class="Button" name="Submit_job" value="<?PHP echo $lang['SUB_JOB']?>" /></div>
<?PHP }?>
</div>
</form>
</div></div></div>
<script LANGUAGE="JavaScript">
<!--
function confirmSubmitt()
{
var agree=confirm("<?PHP echo $lang[FILL_PROFILE] ?>");
if (agree)
    return true ;
else
    return false ;
}
// -->
</script>
<script language="JavaScript" type="text/javascript">
<!--
function checkform ( form )
{
  if (form.willdo.value == "") {
    alert( "Please enter a job title." );
    form.willdo.focus();
    return false ;
  }
  if (form.job_description.value == "") {
    alert( "Please enter a job description." );
    form.job_description.focus();
    return false ;
  }
  if (form.keywords.value == "") {
    alert( "Please enter at least one keyword." );
    form.keywords.focus();
    return false ;
  }
  if (form.time_span.value == "") {
    alert( "Please enter a time span." );
    form.time_span.focus();
    return false ;
  }
  if (form.img_path.value == "") {
    alert( "You need to upload a job image." );
    form.img_path.focus();
    return false ;
  }
return true ;
}
//-->
</script>
</div></div>
<?PHP
include("side.php");
include("footer.php");
?>

Is there any thing wrong with this as well

<?PHP error_reporting(0); session_start();
/**This file copyright (C) 2010 Mal Sorrell (admin@phpvalley.com)
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 */
 ob_start();
if(!isset($_SESSION['userName'])){
    header('Location: index.php');
}else{
include("connect.php");
$date = date("F j, Y");
$username = $_SESSION['userName'];
$result = mysql_query("SELECT * FROM sitesettings");
while($row = mysql_fetch_array($result))
{
$title = "".$row["domain"]." - ".$username." My Sales";
$domain = mysql_real_escape_string($row["domain"]);
$price = mysql_real_escape_string($row["price"]);
$currency_symbol = mysql_real_escape_string($row["currency_symbol"]);
}

include("header.php");?>
<script LANGUAGE="JavaScript">
<!--
function confirmSubmitt()
{
var agree=confirm("<?PHP echo $lang['DELETE_ORDERS']?>");
if (agree)
    return true ;
else
    return false ;
}
// -->
</script>
<script LANGUAGE="JavaScript">
<!--
function confirmAcc()
{
var agree=confirm("<?PHP echo $lang['ACCEPT_YES']?>");
if (agree)
    return true ;
else
    return false ;
}
// -->
</script>
<script LANGUAGE="JavaScript">
<!--
function confirmSub()
{
alert("<?PHP echo $lang['NOT_CONFIRMED']?>");
}
// -->
</script>
<script language="JavaScript" type="text/javascript">
/*<![CDATA[*/
function SetAllCheckBoxes(FormName, FieldName, CheckValue)
{
    if(!document.forms[FormName])
        return;
    var objCheckBoxes = document.forms[FormName].elements[FieldName];
    if(!objCheckBoxes)
        return;
    var countCheckBoxes = objCheckBoxes.length;
    if(!countCheckBoxes)
        objCheckBoxes.checked = CheckValue;
    else
        // set the check value for all check boxes
        for(var i = 0; i < countCheckBoxes; i++)
            objCheckBoxes[i].checked = CheckValue;
}
/*]]>*/
</script>
<?PHP if (isset($_GET["act"])) {
$act = $_GET["act"];
if (isset($_GET["id"]))
$id= mysql_real_escape_string($_GET['id']);
else
die();
if ($act == "edit") {
$rec = mysql_query("SELECT * FROM jobs where id = '$id'") or die(mysql_error());
$datas = mysql_fetch_array($rec);
$username = $datas['username'];
$job_description = html_entity_decode($datas['job_description'], ENT_QUOTES);
$willdo = html_entity_decode($datas['willdo'], ENT_QUOTES);
$jobdescription=stripslashes(str_replace('\r\n', '<br>',($job_description)));
$willdo=stripslashes(str_replace('\r\n', '<br>',($willdo)));
$category = $datas['category'];
$job_cost = $datas['job_cost'];
$link = $datas['link'];
$video_link = $datas['video_link'];
$video_link = str_replace('watch?v=', 'v/',($video_link));
$keywords = $datas['keywords'];
$time_span = $datas['time_span'];
$postdate = $datas['postdate'];
$img_path = $datas['img_path'];
if($_SESSION['userName']!=''.$username.''){
    header('Location: index.php');
}
if(isset($_POST['submitedit']))
{
function filter($arr) {
return array_map('mysql_real_escape_string', $arr);
}
mysql_query("UPDATE jobs SET
            `willdo` = '$_POST[willdo]',
            `category` = '$_POST[category]',
            `job_cost` = '$_POST[job_cost]',
            `video_link` = '$_POST[video_link]',
            `link` = '$_POST[link]',
            `job_description` = '$_POST[job_description]',
            `part_description` = '$_POST[job_description]',
            `keywords` = '$_POST[keywords]',
            `time_span` = '$_POST[time_span]'
             WHERE id='$id'
            ") or die(mysql_error());
            if(mysql_query)
            {
echo "<div class=\"dialog-box-success5\">
<div class=\"dialog-left\">
<h3 align=\"center\"><img src=\"images/succes.png\" class=\"dialog-ico\" alt=\"\"/>".$lang['JOB_UPDATED']."</div></h3>
</div><META HTTP-EQUIV = 'Refresh' Content = '1; URL =my_jobs.php?act=edit&id=$id'";}
}
?><div class="ed_profile">
<form action='' method='post' ENCTYPE = "multipart/form-data">
<input type="hidden" name="id" value="<?PHP echo $id?>" >
<div class="akform"><?PHP echo "<h2>".$lang['EDIT_JOB']." ".$willdo."</h2>";?>
<div id="allFields">
<div class="fields">
<div class="field">
<label><?PHP echo $lang['JOB']?>:</label>
<div class="fieldInput" id="name">
<input name='willdo' class="textfield" type='text'value="<?PHP echo $willdo?> ">
</div>
</div>
<div class="field"><label><?PHP echo $lang['CATEGORY']?>:<span class="mandatory">*</span> <?PHP echo $lang['CHOOSE_CAT']?></label>
<div class="fieldInput" id="email">
<?PHP
$sql = mysql_query("SELECT * FROM `categories` order by catname asc");
print "<select class=\"textfield\" name=\"category\">\n";$catname = $category;
print "<option value=\"$category\">$category\n</option>";
while ($row = mysql_fetch_assoc($sql)){
$catname = mysql_real_escape_string($row['catname']);
print '<option value="'.$catname = stripslashes(str_replace(' ', '-',($catname))).'">'.$catname = stripslashes(str_replace(' ', '-',($catname))).'</option>';
}
print "</select>\n";
?>
</div>
</div>
<div class="field"><label><?PHP echo $lang['OB_PRICE']?> Tip Price:<span class="mandatory">*</span></label>
<div class="fieldInput" id="email">
<select class="textfield" name="job_cost">
<option value="<?PHP echo $job_cost?>"><?PHP echo $currency_symbol ?><?PHP echo $job_cost?></option>
<?PHP
$price_range = htmlentities($price_range, ENT_QUOTES);
$prc = explode(",",$price_range);
foreach ($prc AS $p_rc) {
echo "<option value='".$p_rc."' >".$currency_symbol." ".$p_rc."</option> ";
}
?>
</select>
</div>
</div>
                    <div class="field">
                    <label><?PHP echo $lang['LINK']?>:<span class="mandatory">*</span> <?PHP echo $lang['LINK_TO_WEB']?> http://www.example.com</label>
                    <div class="fieldInput" id="phone">
                    <input class="textfield" name="link" type="text" value='<?PHP echo $link?>'/>
                    </div></div>
                    <div class="field">
                    <label><?PHP echo $lang['VIDEO']?><?PHP echo $lang['LINK']?>:<span class="mandatory">*</span> <?PHP echo $lang['LINK_TO_VIDEO']?> http://www.youtube.com/v/OVNZ3rX4a54</label>
                    <div class="fieldInput" id="phone">
                    <input class="textfield" name="video_link" type="text" value='<?PHP echo $video_link?>'/>
                    </div></div>
                    <div class="field">
                    <label><?PHP echo $lang['DESCRIPTION']?>:</label>
                    <textarea name="job_description" cols="" rows="" class="textarea" id="field8" ><?PHP echo $jobdescription?></textarea>
                    </div>
                    <div class="field">
                    <label><?PHP echo $lang['KEYWORDS']?>:</label>
                    <input name="keywords" class="textfield" type='text' value='<?PHP echo htmlentities($keywords, ENT_QUOTES)?>' />
                    </div>
                    <div class="field">
                    <label><?PHP echo $lang['TIME_SPAN']?>:</label>
                    <div class="fieldInput" id="phone">
                    <input name="time_span" class="textfield" type='text' value='<?PHP echo $time_span?>' />
                    </div>
                    </div>
                    <div class="field">
                    <label><?PHP echo $lang['POSTDATE']?>:</label>
                    <div class="fieldInput" id="phone">
                    <input name="postdate" type='text' class="textfield" value='<?PHP echo $postdate?>' disabled="disabled"/>
                    </div>
                </div>
            <input type='submit' name='submitedit' value='<?PHP echo $lang['UPDATE_JOB']?>' class="Button"/>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<input type='reset' class="Button" name='submit' value='<?PHP echo $lang['RESET_FORM']?>' />
        </div>
    </div></div></form>
<form action='' method='post' ENCTYPE = "multipart/form-data">
<div class="akform2">
<div id="allFields">
<div class="fields">
<div class="field">
<label><?PHP echo $lang['CH_JOB_IMAGE']?></label><div class="clear"></div>
<img src="<?PHP echo $img_path?>" alt="an image"  style="float: left; padding-right:10px;"/><div class="clr"></div>
<div class="fieldInput" id="phone"><input name="img_path" type="file" class="textfield" size="35"/><div class="clear"></div>
<input type='submit' name='Upload' value='<?PHP echo $lang['CHANGE_IMAGE']?>' class="Button"/></div></div></div></div></div></form>
<?PHP
}
if ($act == "delete"){
$sql = "DELETE FROM jobs where  id='$id' " or die(mysql_error());
$result = mysql_query($sql);
if(!mysql_query) {
echo "<div class=\"dialog-box-error\">
<div class=\"dialog-left\">
<img src=\"images/error.png\" class=\"dialog-ico\" alt=\"\"/>".$lang['JOB_NOT_DEL']."
</div>
<div class=\"dialog-right\">
<img src=\"images/error-delete.jpg\" class=\"del-x\" alt=\"\"/>
</div>
</div>";
}else{ header( 'Location: profile-'.$username.'' ) ;
}
}
$path_thumbs = "users/".$_SESSION['userName']."";
$path_big = "users/".$_SESSION['userName']."";
//the new width of the resized image.
$img_thumb_width = 380; // in pixcel
$extlimit = "yes"; //Do you want to limit the extensions of files uploaded (yes/no)
//allowed Extensions
$limitedext = array(".jpg",".jpeg",".gif",".png",);
if(isset($_POST['Upload']))
{
$file_type = $_FILES['img_path']['type'];
       $file_name = $_FILES['img_path']['name'];
       $file_size = $_FILES['img_path']['size'];
       $file_tmp = $_FILES['img_path']['tmp_name'];
       //check file extension
       $ext = strrchr($file_name,'.');
       $ext = strtolower($ext);
       if (($extlimit == "yes") && (!in_array($ext,$limitedext))) {
          die (header( 'Location: invalid?wrong' ));
          exit();
       }
       //get the file extension.
       $getExt = explode ('.', $file_name);
       $file_ext = $getExt[count($getExt)-1];

       //create a random file name
       $rand_name = md5(time());
       $rand_name= rand(0,999999999);
       //get the new width variable.
       $ThumbWidth = $img_thumb_width;
       //keep image type
       if($file_size){
          if($file_type == "image/pjpeg" || $file_type == "image/jpeg"){
               $new_img = imagecreatefromjpeg($file_tmp);
           }elseif($file_type == "image/x-png" || $file_type == "image/png"){
               $new_img = imagecreatefrompng($file_tmp);
           }elseif($file_type == "image/gif"){
               $new_img = imagecreatefromgif($file_tmp);
           }
           //list width and height and keep height ratio.
           list($width, $height) = getimagesize($file_tmp);
           $imgratio=$width/$height;
           if ($imgratio>1){
              $newwidth = $ThumbWidth;
              $newheight = $ThumbWidth/$imgratio;
           }else{
                 $newheight = $ThumbWidth;
                 $newwidth = $ThumbWidth*$imgratio;
           }
           //function for resize image.
           if (function_exists(imagecreatetruecolor)){
           $resized_img = imagecreatetruecolor($newwidth,$newheight);
           }else{
                 die("Error: Please make sure you have GD library ver 2+");
           }
           imagecopyresized($resized_img, $new_img, 0, 0, 0, 0, $newwidth, $newheight, $width, $height);
           //save image
           ImageJpeg ($resized_img,"$path_thumbs/$rand_name.$file_ext");
           ImageDestroy ($resized_img);
           ImageDestroy ($new_img);
        }
mysql_query("UPDATE jobs SET
            `img_path` = '$path_thumbs/$rand_name.$file_ext'
            WHERE id='$id'
            ") or die(mysql_error());
echo "<div class=\"dialog-box-success\">
<div class=\"dialog-left\">
<img src=\"images/succes.png\" class=\"dialog-ico\" alt=\"\"/>".$lang['JOB_UPDATED']."</div>
</div>";header( 'Location: my_jobs.php?act=edit&id='.$id.'' ) ;
}
}
?>
</div></div>
<?PHP include("side.php");
include("footer.php");
ob_flush();
}
?>

Edited by alittle: extra

2
Contributors
2
Replies
4
Views
5 Years
Discussion Span
Last Post by alittle
0

Obviously you are feeding some text from a variable into a MySQL statement which contains an apostrophe (') which is not escaped.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.