[SOLVED] ` does not escape with mysql_real_escape_string

[dtest]

can anyone tell me if it's normal that the character ` is not escaped when using mysql_real_escape_string to sanitize user imput?

 

I have a login box where if you enter "INSERT INTO database USERS `'`" as username, I am still getting an error message after using mysql_real_escape_string:

 

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /var/www/vhosts/mydomain.com/httpdocs/index.php on line 41

[rarebit]

It's a funny one, most people forget about it or don't realise it even exists, gcc and some text editors complain about it being used at all, so if I were you i'd just scan for it and replace/remove it before your other checks. So will I now you mention it, cheers!

[darkfreaks]

take it out of your SQL and do it before

 

like

 

<?php

$variable=$_POST[variable];
$variable=mysql_real_escape_string($variable);

?>

[darkfreaks]

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

 

 

[darkfreaks]

so yes it does not escape the ` character would you could do is

 

str_replace(`,'') would replace ` with nothing.

[dtest]

ok I found out that it wasn't the ` that initiated the error message, but a syntax error in the code.

I fixed it and now ` doesn't appear to make any problems anymore when I only use mysql_real_escape_string to sanitize

 

thanks for the replies