0

Hello, all:

I'm trying to sanitize/secure my query, and it all seems ok when I test it with most special-characters... but when I try to test the single quote (') like this... www.mysite.com/page.php?category='

Then it gives me this error:

"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''''' at line 1"

It seems to do it only when I test it on the category variable... it only does it with single quotes, it's Ok with double quotes; so I dont get it...

So if I test it with the other variables like this...
http://www.sitetemplates101.com/workCategories.php?category=1&type='
http://www.sitetemplates101.com/workCategories.php?category=1&type=2&filter='

Then it works fine, it simply refreshes or disregards entry...

See here below the code-snippet i have... what am I doing wrong???

Thanks!!

PS. Forgot to mention I have .htaccess to have magic-quotes OFF


<CODE>

// THESE ARE VARIABLES
$colname1_worksRS = "-1";
$colname2_worksRS = "-1";
$colname3_worksRS = "-1";
if (isset($_GET)) {
$colname1_worksRS = mysql_real_escape_string($_GET);}
if (isset($_GET)) {
$colname2_worksRS = mysql_real_escape_string($_GET);}
if (isset($_GET)) {
$colname3_worksRS = mysql_real_escape_string($_GET);}

// THIS IS COMPOUND SELECT STATEMENT ACCORDING TO CALLED VARIABLES
$query_worksRS = "SELECT * FROM works";
if (!empty($_GET))
{
$query_worksRS .= " WHERE Type = '$colname1_worksRS'";
}
if (!empty($_GET))
{
$query_worksRS .= " AND Subject = '$colname2_worksRS'";
}
if ((!empty($_GET)) && $_GET == 'Price')
{
$query_worksRS .= " ORDER BY Price DESC";
}
elseif ($_GET == 'Size')
{
$query_worksRS .= " ORDER BY Size DESC";
}else {
$query_worksRS .= " ORDER BY ProductID DESC";
}

</CODE>

2
Contributors
1
Reply
2
Views
7 Years
Discussion Span
Last Post by network18
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.