[SOLVED] mysql_escape_real_string + addslashes causing mysql error

[jgp4]

Hi,

I'm having trouble making my queries safe from SQL Injection. I have a DB class which has a function runQuery whihc takes the query as a parameter. It then does the following code (taken directly from php.net):

if (get_magic_quotes_gpc()) {
     
    $query = stripslashes($query);
}

if (!is_numeric($query)) {
     
    $query = "'" . mysql_real_escape_string($query) . "'";
}

before the mysql_real_escape_string the query comes out as:

SELECT * FROM config WHERE cfg_name='default' LIMIT 1

I'm just using a random table to test it out before using it on user data - this query string does work.

After mysql_real_escape_string the query is like this:

SELECT * FROM config WHERE cfg_name=\'default\' LIMIT 1

As one expects the apostraphes have been escaped however when I do mysql_query($query) i get the following message:

Query error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'default\' LIMIT 1' at line 1 (MySQL error 1064)

I also get this error when running the query from the commandline.

I have also tried just addslashes but as it does exactly the same thing the same error appears.

Is there something blindingly obvious I have neglected to do or it something odd going on?

Thanks.

[effigy]

Either of these (use MySQL's) should be applied to the individual fields, not the entire query; see example 1 [url=http://us3.php.net/mysql_real_escape_string]here[/url].

[jgp4]

Thanks effigy, I feel a bit silly now ::)