Escaping Issues

[uramagget]

Escape Function

/*
Escapes illegal characters within a variable
*/
function escape($value,$allow_wildcards = true, $detect_numeric = true) 
{
		$return_value = $value;
		if (get_magic_quotes_gpc()) 
		{
			if(ini_get('magic_quotes_sybase')) 
			{
				$return_value = str_replace("''", "'", $return_value);
			} 
			else 
			{
				$return_value = stripslashes($return_value);
			}
		}
		//Escape wildcards for SQL injection protection on LIKE, GRANT, and REVOKE commands.
		if (!$allow_wildcards) 
		{
			$return_value = str_replace('%','\%',$return_value);
			$return_value = str_replace('_','\_',$return_value);
		}
		// Quote if $value is a string and detection enabled.
		if ($detect_numeric) 
		{
			if (!is_numeric($return_value)) 
			{
				return "'" . mysql_real_escape_string($return_value) . "'";
			}
		}
		//Finally, return the end result with the addition of mysql string escaping. 
		return mysql_real_escape_string($return_value);
}

 

MySQL Query:

if (empty($_POST['nick']) or $_POST['nick'] == " ") { $nick = "Anonymous"; } else { $nick = escape($_POST['nick']); }
$msg = escape($_POST['msg']);
$ip = $_SERVER['REMOTE_ADDR'];
$date = date('M j, y');
//SQL
$sql = "INSERT INTO msgs (`nick`, `message`, `date`, `ip`) VALUES('$nick', '$msg', '$date', '$ip');";

 

Error Returned:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'nick'', ''nick'', 'Apr 5, 08', '66.98.84.184')' at line 1

 

 

It seems like it's adding a single-quote to a single-quote, thus contradicting the escape function itself. =/; Can anybody help out?

[kenrbnsn]

You are inconsistent with the values you return from your function. Sometimes you're returning a value surrounded by single quotes and sometimes you're not.

 

Ken

[uramagget]

Ah, I see. Thank you very much. It seems that the $detect_numeric return value was causing this. Thanks again. ^^;

 

EDIT: Uh, what happened to the [sOLVED] button? o_O