Hello

i have a problem with protect from sql injection :

the problem is:
Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in

My Old Code (working):

<?php
$currentid= $_GET['id'];
$q="select * from tbl_car where id=$currentid";
$result= mysql_query($q);
while ($row = mysql_fetch_assoc($result)) {}
?>

my New Code (not working):

<?php
$item = $_GET['id'];
$currentid = mysql_escape_string($item);
printf("Escaped string: %s\n", $currentid);

				
$q=sprintf("select * from tbl_car where id=’%s’",mysql_real_escape_string($currentid));
$result= mysql_query($q);


while ($row = mysql_fetch_assoc($result)) {
}
?>

the error in mysql_fetch_assoc

Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in

i tried to add @ like this

while ($row = @mysql_fetch_assoc($result))

but no results


can anyone help me please???

You're escaping things twice, remove the first one.

commented: yes +15
Member Avatar

diafol

Why you using sprintf anyway?
You're also using weird single quotes: id=’%s’
Use normal single quotes: id='%s'

commented: yes +15

thank you very much

it's working now

the problem id=’%s’

the correct single quotes id='%s'

thanks you again

Remember not to escape it twice, it's not safer than not.

Member Avatar

diafol

Agree with twiss.

If this is solved, mark it so with the link below.

commented: Now i know why you have so many solved threads +8