mcondiff Posted September 5, 2006 Share Posted September 5, 2006 I'm having real trouble with quote_smart() from php. I need to know how to include a "quote_smart"ed variable into a sql prepared statment. Quote_Smart() puts single quotes around all string vars and my db has matching values and appropriate single quotes around the values.I am getting "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'mikec@xyz.com''' at line 1" the way i have it seems to have an extra single quote at the end but i cant tell where its coming from can someone help?<?phpsession_start();require_once 'config.php';function connect_db(){$this->db_connection = mysql_connect(SERVER_NAME, DB_USER, DB_PASSWORD) or die ('Unable to connect to Database!');mysql_select_db(DB_NAME);}function quote_smart($value){ // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not a number or a numeric string if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; }connect_db(); //connects to db fine$legal = "mikec@xyz.com"; // pre quote_smart$legal = quote_smart($legal); // post quote_smart$query = "SELECT * FROM users WHERE email = '$legal'";$user = mysql_query($query) or die(mysql_error()); $numFound = mysql_num_rows($user);echo $numFound;$x = mysql_result($user,0,"email");$y = mysql_result($user,0,"pass");echo '<br> user-> '. $x;echo '<br> pass-> '. $y;?>Its a login script that im using as part of a base application class, but this is easier to read.Does anyone have an example of anything theyve done using quotesmart or just tell me the standard/preferred way of using it to prevent sql injection?I'm at a loss here.ThanksMike Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.