Jump to content

Escaping Issues


uramagget

Recommended Posts

Escape Function


/*
Escapes illegal characters within a variable
*/
function escape($value,$allow_wildcards = true, $detect_numeric = true) 
{
		$return_value = $value;
		if (get_magic_quotes_gpc()) 
		{
			if(ini_get('magic_quotes_sybase')) 
			{
				$return_value = str_replace("''", "'", $return_value);
			} 
			else 
			{
				$return_value = stripslashes($return_value);
			}
		}
		//Escape wildcards for SQL injection protection on LIKE, GRANT, and REVOKE commands.
		if (!$allow_wildcards) 
		{
			$return_value = str_replace('%','\%',$return_value);
			$return_value = str_replace('_','\_',$return_value);
		}
		// Quote if $value is a string and detection enabled.
		if ($detect_numeric) 
		{
			if (!is_numeric($return_value)) 
			{
				return "'" . mysql_real_escape_string($return_value) . "'";
			}
		}
		//Finally, return the end result with the addition of mysql string escaping. 
		return mysql_real_escape_string($return_value);
}

 

MySQL Query:

if (empty($_POST['nick']) or $_POST['nick'] == " ") { $nick = "Anonymous"; } else { $nick = escape($_POST['nick']); }
$msg = escape($_POST['msg']);
$ip = $_SERVER['REMOTE_ADDR'];
$date = date('M j, y');
//SQL
$sql = "INSERT INTO msgs (`nick`, `message`, `date`, `ip`) VALUES('$nick', '$msg', '$date', '$ip');";

 

Error Returned:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'nick'', ''nick'', 'Apr 5, 08', '66.98.84.184')' at line 1

 

 

It seems like it's adding a single-quote to a single-quote, thus contradicting the escape function itself. =/; Can anybody help out?

Link to comment
https://forums.phpfreaks.com/topic/99681-escaping-issues/
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.