Hello, all:
I'm trying to sanitize/secure my query, and it all seems ok when I test it with most special-characters... but when I try to test the single quote (') like this... www.mysite.com/page.php?category='
Then it gives me this error:
"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1"
It seems to do it only when I test it on the category variable... it only does it with single quotes, it's Ok with double quotes; so I dont get it...
So if I test it with the other variables like this...
http://www.sitetemplates101.com/workCategories.php?category=1&type='
http://www.sitetemplates101.com/workCategories.php?category=1&type=2&filter='
Then it works fine, it simply refreshes or disregards entry...
See here below the code-snippet i have... what am I doing wrong???
Thanks!!
PS. Forgot to mention I have .htaccess to have magic-quotes OFF
<CODE>
// THESE ARE VARIABLES
$colname1_worksRS = "-1";
$colname2_worksRS = "-1";
$colname3_worksRS = "-1";
if (isset($_GET)) {
$colname1_worksRS = mysql_real_escape_string($_GET);}
if (isset($_GET)) {
$colname2_worksRS = mysql_real_escape_string($_GET);}
if (isset($_GET)) {
$colname3_worksRS = mysql_real_escape_string($_GET);}
// THIS IS COMPOUND SELECT STATEMENT ACCORDING TO CALLED VARIABLES
$query_worksRS = "SELECT * FROM works";
if (!empty($_GET))
{
$query_worksRS .= " WHERE Type = '$colname1_worksRS'";
}
if (!empty($_GET))
{
$query_worksRS .= " AND Subject = '$colname2_worksRS'";
}
if ((!empty($_GET)) && $_GET == 'Price')
{
$query_worksRS .= " ORDER BY Price DESC";
}
elseif ($_GET == 'Size')
{
$query_worksRS .= " ORDER BY Size DESC";
}else {
$query_worksRS .= " ORDER BY ProductID DESC";
}
</CODE>