mcondiff Posted September 5, 2006 Share Posted September 5, 2006 I'm having real trouble with quote_smart() from php. I need to know how to include a "quote_smart"ed variable into a sql prepared statment. Quote_Smart() puts single quotes around all string vars and my db has matching values and appropriate single quotes around the values.I am getting "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '[email protected]''' at line 1" the way i have it seems to have an extra single quote at the end but i cant tell where its coming from can someone help?<?phpsession_start();require_once 'config.php';function connect_db(){$this->db_connection = mysql_connect(SERVER_NAME, DB_USER, DB_PASSWORD) or die ('Unable to connect to Database!');mysql_select_db(DB_NAME);}function quote_smart($value){ // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not a number or a numeric string if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; }connect_db(); //connects to db fine$legal = "[email protected]"; // pre quote_smart$legal = quote_smart($legal); // post quote_smart$query = "SELECT * FROM users WHERE email = '$legal'";$user = mysql_query($query) or die(mysql_error()); $numFound = mysql_num_rows($user);echo $numFound;$x = mysql_result($user,0,"email");$y = mysql_result($user,0,"pass");echo '<br> user-> '. $x;echo '<br> pass-> '. $y;?>Its a login script that im using as part of a base application class, but this is easier to read.Does anyone have an example of anything theyve done using quotesmart or just tell me the standard/preferred way of using it to prevent sql injection?I'm at a loss here.ThanksMike Link to comment https://forums.phpfreaks.com/topic/19810-need-help-with-quote_smart-prepared-sql-statement/ Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.