uramagget Posted April 5, 2008 Share Posted April 5, 2008 Escape Function /* Escapes illegal characters within a variable */ function escape($value,$allow_wildcards = true, $detect_numeric = true) { $return_value = $value; if (get_magic_quotes_gpc()) { if(ini_get('magic_quotes_sybase')) { $return_value = str_replace("''", "'", $return_value); } else { $return_value = stripslashes($return_value); } } //Escape wildcards for SQL injection protection on LIKE, GRANT, and REVOKE commands. if (!$allow_wildcards) { $return_value = str_replace('%','\%',$return_value); $return_value = str_replace('_','\_',$return_value); } // Quote if $value is a string and detection enabled. if ($detect_numeric) { if (!is_numeric($return_value)) { return "'" . mysql_real_escape_string($return_value) . "'"; } } //Finally, return the end result with the addition of mysql string escaping. return mysql_real_escape_string($return_value); } MySQL Query: if (empty($_POST['nick']) or $_POST['nick'] == " ") { $nick = "Anonymous"; } else { $nick = escape($_POST['nick']); } $msg = escape($_POST['msg']); $ip = $_SERVER['REMOTE_ADDR']; $date = date('M j, y'); //SQL $sql = "INSERT INTO msgs (`nick`, `message`, `date`, `ip`) VALUES('$nick', '$msg', '$date', '$ip');"; Error Returned: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'nick'', ''nick'', 'Apr 5, 08', '66.98.84.184')' at line 1 It seems like it's adding a single-quote to a single-quote, thus contradicting the escape function itself. =/; Can anybody help out? Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted April 5, 2008 Share Posted April 5, 2008 You are inconsistent with the values you return from your function. Sometimes you're returning a value surrounded by single quotes and sometimes you're not. Ken Quote Link to comment Share on other sites More sharing options...
uramagget Posted April 5, 2008 Author Share Posted April 5, 2008 Ah, I see. Thank you very much. It seems that the $detect_numeric return value was causing this. Thanks again. ^^; EDIT: Uh, what happened to the [sOLVED] button? o_O Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.