Jump to content


Need Help with quote_smart, prepared sql statement.

  • Please log in to reply
No replies to this topic

#1 mcondiff

  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 05 September 2006 - 08:37 PM

I'm having real trouble with quote_smart() from php.  I need to know how to include a "quote_smart"ed variable into a sql prepared statment.  Quote_Smart() puts single quotes around all string vars and my db has matching values and appropriate single quotes around the values.

I am getting "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'mikec@xyz.com''' at line 1"

the way i have it seems to have an extra single quote at the end but i cant tell where its coming from can someone help?


require_once 'config.php';

function connect_db()
$this->db_connection = mysql_connect(SERVER_NAME, DB_USER, DB_PASSWORD) or die ('Unable to connect to Database!');

function quote_smart($value)
  // Stripslashes
  if (get_magic_quotes_gpc()) {
      $value = stripslashes($value);
  // Quote if not a number or a numeric string
  if (!is_numeric($value)) {
      $value = "'" . mysql_real_escape_string($value) . "'";
  return $value;

connect_db(); //connects to db fine

$legal = "mikec@xyz.com"; // pre quote_smart
$legal = quote_smart($legal); // post quote_smart

$query = "SELECT * FROM users WHERE email = '$legal'";

$user = mysql_query($query) or die(mysql_error());

$numFound = mysql_num_rows($user);

echo $numFound;

$x = mysql_result($user,0,"email");
$y = mysql_result($user,0,"pass");

echo '<br> user-> '. $x;
echo '<br> pass-> '. $y;

Its a login script that im using as part of a base application class, but this is easier to read.

Does anyone have an example of anything theyve done using quotesmart or just tell me the standard/preferred way of using it to prevent sql injection?

I'm at a loss here.



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users