Hello, all:

I'm trying to sanitize/secure my query, and it all seems ok when I test it with most special-characters... but when I try to test the single quote (') like this... www.mysite.com/page.php?category= '

Then it gives me this error:

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1"

It seems to do it only when I test it on the category variable... it only does it with single quotes, it's Ok with double quotes; so I dont get it...

So if I test it with the other variables like this...
http://www.sitetemplates101.com/workCategories.php?category=1&type= '
http://www.sitetemplates101.com/workCategories.php?category=1&type=2&filter= '

Then it works fine, it simply refreshes or disregards entry...

See here below the code-snippet i have... what am I doing wrong???

Thanks!!

PS. Forgot to mention I have .htaccess to have magic-quotes OFF



// THESE ARE VARIABLES
$colname1_worksRS = "-1";
$colname2_worksRS = "-1";
$colname3_worksRS = "-1";
if (isset($_GET['category'])) {
$colname1_worksRS = mysql_real_escape_string($_GET['category']);}
if (isset($_GET['type'])) {
$colname2_worksRS = mysql_real_escape_string($_GET['type']);}
if (isset($_GET['filter'])) {
$colname3_worksRS = mysql_real_escape_string($_GET['filter']);}

// THIS IS COMPOUND SELECT STATEMENT ACCORDING TO CALLED VARIABLES
$query_worksRS = "SELECT * FROM works";
if (!empty($_GET['category']))
{
$query_worksRS .= " WHERE Type = '$colname1_worksRS'";
}
if (!empty($_GET['type']))
{
$query_worksRS .= " AND Subject = '$colname2_worksRS'";
}
if ((!empty($_GET['filter'])) && $_GET['filter'] == 'Price')
{
$query_worksRS .= " ORDER BY Price DESC";
}
elseif ($_GET['filter'] == 'Size')
{
$query_worksRS .= " ORDER BY Size DESC";
}else {
$query_worksRS .= " ORDER BY ProductID DESC";
}