mac007 Posted November 8, 2009 Share Posted November 8, 2009 Hello, all: I'm trying to sanitize/secure my query, and it all seems ok when I test it with most special-characters... but when I try to test the single quote (') like this... www.mysite.com/page.php?category=' Then it gives me this error: "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1" It seems to do it only when I test it on the category variable... it only does it with single quotes, it's Ok with double quotes; so I dont get it... So if I test it with the other variables like this... http://www.sitetemplates101.com/workCategories.php?category=1&type=' http://www.sitetemplates101.com/workCategories.php?category=1&type=2&filter=' Then it works fine, it simply refreshes or disregards entry... See here below the code-snippet i have... what am I doing wrong??? Thanks!! PS. Forgot to mention I have .htaccess to have magic-quotes OFF <CODE> // THESE ARE VARIABLES $colname1_worksRS = "-1"; $colname2_worksRS = "-1"; $colname3_worksRS = "-1"; if (isset($_GET['category'])) { $colname1_worksRS = mysql_real_escape_string($_GET['category']);} if (isset($_GET['type'])) { $colname2_worksRS = mysql_real_escape_string($_GET['type']);} if (isset($_GET['filter'])) { $colname3_worksRS = mysql_real_escape_string($_GET['filter']);} // THIS IS COMPOUND SELECT STATEMENT ACCORDING TO CALLED VARIABLES $query_worksRS = "SELECT * FROM works"; if (!empty($_GET['category'])) { $query_worksRS .= " WHERE Type = '$colname1_worksRS'"; } if (!empty($_GET['type'])) { $query_worksRS .= " AND Subject = '$colname2_worksRS'"; } if ((!empty($_GET['filter'])) && $_GET['filter'] == 'Price') { $query_worksRS .= " ORDER BY Price DESC"; } elseif ($_GET['filter'] == 'Size') { $query_worksRS .= " ORDER BY Size DESC"; }else { $query_worksRS .= " ORDER BY ProductID DESC"; } </CODE> Quote Link to comment Share on other sites More sharing options...
genericnumber1 Posted November 8, 2009 Share Posted November 8, 2009 Try echoing the $query_worksRS after it has been constructed. From that point you will probably be able to figure out the problem. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.