jgp4 Posted January 4, 2007 Share Posted January 4, 2007 Hi,I'm having trouble making my queries safe from SQL Injection. I have a DB class which has a function runQuery whihc takes the query as a parameter. It then does the following code (taken directly from php.net):if (get_magic_quotes_gpc()) { $query = stripslashes($query);}if (!is_numeric($query)) { $query = "'" . mysql_real_escape_string($query) . "'";}before the mysql_real_escape_string the query comes out as:SELECT * FROM config WHERE cfg_name='default' LIMIT 1I'm just using a random table to test it out before using it on user data - this query string does work.After mysql_real_escape_string the query is like this:SELECT * FROM config WHERE cfg_name=\'default\' LIMIT 1As one expects the apostraphes have been escaped however when I do mysql_query($query) i get the following message:Query error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'default\' LIMIT 1' at line 1 (MySQL error 1064)I also get this error when running the query from the commandline.I have also tried just addslashes but as it does exactly the same thing the same error appears.Is there something blindingly obvious I have neglected to do or it something odd going on?Thanks. Quote Link to comment Share on other sites More sharing options...
effigy Posted January 4, 2007 Share Posted January 4, 2007 Either of these (use MySQL's) should be applied to the individual fields, not the entire query; see example 1 [url=http://us3.php.net/mysql_real_escape_string]here[/url]. Quote Link to comment Share on other sites More sharing options...
jgp4 Posted January 4, 2007 Author Share Posted January 4, 2007 Thanks effigy, I feel a bit silly now ::) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.