uramagget Posted April 5, 2008 Share Posted April 5, 2008 Escape Function /* Escapes illegal characters within a variable */ function escape($value,$allow_wildcards = true, $detect_numeric = true) { $return_value = $value; if (get_magic_quotes_gpc()) { if(ini_get('magic_quotes_sybase')) { $return_value = str_replace("''", "'", $return_value); } else { $return_value = stripslashes($return_value); } } //Escape wildcards for SQL injection protection on LIKE, GRANT, and REVOKE commands. if (!$allow_wildcards) { $return_value = str_replace('%','\%',$return_value); $return_value = str_replace('_','\_',$return_value); } // Quote if $value is a string and detection enabled. if ($detect_numeric) { if (!is_numeric($return_value)) { return "'" . mysql_real_escape_string($return_value) . "'"; } } //Finally, return the end result with the addition of mysql string escaping. return mysql_real_escape_string($return_value); } MySQL Query: if (empty($_POST['nick']) or $_POST['nick'] == " ") { $nick = "Anonymous"; } else { $nick = escape($_POST['nick']); } $msg = escape($_POST['msg']); $ip = $_SERVER['REMOTE_ADDR']; $date = date('M j, y'); //SQL $sql = "INSERT INTO msgs (`nick`, `message`, `date`, `ip`) VALUES('$nick', '$msg', '$date', '$ip');"; Error Returned: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'nick'', ''nick'', 'Apr 5, 08', '66.98.84.184')' at line 1 It seems like it's adding a single-quote to a single-quote, thus contradicting the escape function itself. =/; Can anybody help out? Link to comment https://forums.phpfreaks.com/topic/99681-escaping-issues/ Share on other sites More sharing options...
kenrbnsn Posted April 5, 2008 Share Posted April 5, 2008 You are inconsistent with the values you return from your function. Sometimes you're returning a value surrounded by single quotes and sometimes you're not. Ken Link to comment https://forums.phpfreaks.com/topic/99681-escaping-issues/#findComment-509961 Share on other sites More sharing options...
uramagget Posted April 5, 2008 Author Share Posted April 5, 2008 Ah, I see. Thank you very much. It seems that the $detect_numeric return value was causing this. Thanks again. ^^; EDIT: Uh, what happened to the [sOLVED] button? o_O Link to comment https://forums.phpfreaks.com/topic/99681-escaping-issues/#findComment-509967 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.