Jump to content

why my db query gets "stuck" when I manually test url with a '


mac007

Recommended Posts

Hello, all:

 

I'm trying to sanitize/secure my query, and it all seems ok when I test it with most special-characters... but when I try to test the single quote (') like this...  www.mysite.com/page.php?category='

 

Then it gives me this error:

 

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1"

 

It seems to do it only when I test it on the category variable... it only does it with single quotes, it's Ok with double quotes; so I dont get it...

 

So if I test it with the other variables like this...

http://www.sitetemplates101.com/workCategories.php?category=1&type='

http://www.sitetemplates101.com/workCategories.php?category=1&type=2&filter='

 

Then it works fine, it simply refreshes or disregards entry... 

 

See here below the code-snippet i have...  what am I doing wrong???

 

Thanks!!

 

PS. Forgot to mention I have .htaccess to have magic-quotes OFF

 

 

<CODE>

 

// THESE ARE VARIABLES 

$colname1_worksRS = "-1";

$colname2_worksRS = "-1";

$colname3_worksRS = "-1";

if (isset($_GET['category'])) {

$colname1_worksRS = mysql_real_escape_string($_GET['category']);}

if (isset($_GET['type'])) {

$colname2_worksRS = mysql_real_escape_string($_GET['type']);}

if (isset($_GET['filter'])) {

$colname3_worksRS = mysql_real_escape_string($_GET['filter']);}

 

// THIS IS COMPOUND SELECT STATEMENT ACCORDING TO CALLED VARIABLES

$query_worksRS = "SELECT * FROM works";

if (!empty($_GET['category']))

{

$query_worksRS .= " WHERE Type = '$colname1_worksRS'";

}

if (!empty($_GET['type']))

{

$query_worksRS .= " AND Subject = '$colname2_worksRS'";

}

if ((!empty($_GET['filter'])) && $_GET['filter'] == 'Price')

{

$query_worksRS .= " ORDER BY Price DESC";

}

elseif ($_GET['filter'] == 'Size')

{

$query_worksRS .= " ORDER BY Size DESC";

}else {

$query_worksRS .= " ORDER BY ProductID DESC";

}

 

</CODE>

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.