Jump to content


This topic is now archived and is closed to further replies.


Need Help with quote_smart, prepared sql statement.

Recommended Posts

I'm having real trouble with quote_smart() from php.  I need to know how to include a "quote_smart"ed variable into a sql prepared statment.  Quote_Smart() puts single quotes around all string vars and my db has matching values and appropriate single quotes around the values.

I am getting "You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'mikec@xyz.com''' at line 1"

the way i have it seems to have an extra single quote at the end but i cant tell where its coming from can someone help?


require_once 'config.php';

function connect_db()
$this->db_connection = mysql_connect(SERVER_NAME, DB_USER, DB_PASSWORD) or die ('Unable to connect to Database!');

function quote_smart($value)
  // Stripslashes
  if (get_magic_quotes_gpc()) {
      $value = stripslashes($value);
  // Quote if not a number or a numeric string
  if (!is_numeric($value)) {
      $value = "'" . mysql_real_escape_string($value) . "'";
  return $value;

connect_db(); //connects to db fine

$legal = "mikec@xyz.com"; // pre quote_smart
$legal = quote_smart($legal); // post quote_smart

$query = "SELECT * FROM users WHERE email = '$legal'";

$user = mysql_query($query) or die(mysql_error());

$numFound = mysql_num_rows($user);

echo $numFound;

$x = mysql_result($user,0,"email");
$y = mysql_result($user,0,"pass");

echo '<br> user-> '. $x;
echo '<br> pass-> '. $y;

Its a login script that im using as part of a base application class, but this is easier to read.

Does anyone have an example of anything theyve done using quotesmart or just tell me the standard/preferred way of using it to prevent sql injection?

I'm at a loss here.



Share this post

Link to post
Share on other sites


Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.