mac007 Posted November 8, 2009 Share Posted November 8, 2009 Hello, all: I'm trying to sanitize/secure my query, and it all seems ok when I test it with most special-characters... but when I try to test the single quote (') like this... www.mysite.com/page.php?category=' Then it gives me this error: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1" It seems to do it only when I test it on the category variable... it only does it with single quotes, it's Ok with double quotes; so I dont get it... So if I test it with the other variables like this... http://www.sitetemplates101.com/workCategories.php?category=1&type=' http://www.sitetemplates101.com/workCategories.php?category=1&type=2&filter=' Then it works fine, it simply refreshes or disregards entry... See here below the code-snippet i have... what am I doing wrong??? Thanks!! PS. Forgot to mention I have .htaccess to have magic-quotes OFF <CODE> // THESE ARE VARIABLES $colname1_worksRS = "-1"; $colname2_worksRS = "-1"; $colname3_worksRS = "-1"; if (isset($_GET['category'])) { $colname1_worksRS = mysql_real_escape_string($_GET['category']);} if (isset($_GET['type'])) { $colname2_worksRS = mysql_real_escape_string($_GET['type']);} if (isset($_GET['filter'])) { $colname3_worksRS = mysql_real_escape_string($_GET['filter']);} // THIS IS COMPOUND SELECT STATEMENT ACCORDING TO CALLED VARIABLES $query_worksRS = "SELECT * FROM works"; if (!empty($_GET['category'])) { $query_worksRS .= " WHERE Type = '$colname1_worksRS'"; } if (!empty($_GET['type'])) { $query_worksRS .= " AND Subject = '$colname2_worksRS'"; } if ((!empty($_GET['filter'])) && $_GET['filter'] == 'Price') { $query_worksRS .= " ORDER BY Price DESC"; } elseif ($_GET['filter'] == 'Size') { $query_worksRS .= " ORDER BY Size DESC"; }else { $query_worksRS .= " ORDER BY ProductID DESC"; } </CODE> Link to comment https://forums.phpfreaks.com/topic/180726-why-my-db-query-gets-stuck-when-i-manually-test-url-with-a/ Share on other sites More sharing options...
genericnumber1 Posted November 8, 2009 Share Posted November 8, 2009 Try echoing the $query_worksRS after it has been constructed. From that point you will probably be able to figure out the problem. Link to comment https://forums.phpfreaks.com/topic/180726-why-my-db-query-gets-stuck-when-i-manually-test-url-with-a/#findComment-953490 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.