[SOLVED] escaping SQL problems

[darkfreaks]

ok now i get wrong parameter count on line 11

<?php
collect_user = mysql_query("SELECT * FROM progress_users WHERE name = '$NAME' AND password = '$PASS'",
	mysql_real_escape_string($NAME),
	mysql_real_escape_string($PASS))or die(mysql_error()); ///line11 ?>

[trq]

mysql_query only takes two perameters, your passing it three. Either use...

 

<?php

$NAME = mysql_real_escape_string($NAME);
$PASS = mysql_real_escape_string($PASS);
$collect_user = mysql_query("SELECT * FROM progress_users WHERE name = '$NAME' AND password = '$PASS'") or die(mysql_error());

?>

 

Or...

 

<?php

$collect_user = mysql_query(sprintf("SELECT * FROM progress_users WHERE name = '%s' AND password = '%s'",mysql_real_escape_string($NAME), mysql_real_escape_string($PASS))) or die(mysql_error());

?>

 

PS: Using caps for variable names is a bad idea. Constants normally use caps.

[darkfreaks]

The first one worked thanks thorpe i just needed to add that function to protect against injection attacks