marklcfc, on 28 January 2013 - 20:37, said:
I have came across an error on my website, I wondered if anyone could help? I have the word Banks O'Dee in my php database ($buyfrom) and I receive this error when accessing my page..
And this is the code I use on my php page for this part
$q4="select location from opposition_team where opposition='$buyfrom'";
Can I not make this work without changing the word Banks O'Dee so it doesn't have the '
as I believe that is whats causing it.
What others have said is true about needing to escape your queries, I would recommend the using mysql_real_escape_string
function as mysql_escape_string
has been depreciated since php 5.3
in June 30, 2009
Since this is an issue showing up in your site there is also the possibility that there are other unescaped
queries in your website application. I would recommend updating your code to use PDO and prepared statements
to help increase the security of your site and help protect from SQL Injection.
I would also recommend validating your data before accepting it from the end user or from a storage system and using something like HTMLPurifier
to run your data through to assist with XSS protection.
Please take some time checking out the OWASP Top 10
to get a good idea of some of the security issues to look into. This should help you review your current site security level and see where it needs to be improved.