Hello

i have a problem with protect from sql injection :

the problem is:
Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in

My Old Code (working):

<?php
$currentid= $_GET['id'];
$q="select * from tbl_car where id=$currentid";
$result= mysql_query($q);
while ($row = mysql_fetch_assoc($result)) {}
?>

my New Code (not working):

<?php
$item = $_GET['id'];
$currentid = mysql_escape_string($item);
printf("Escaped string: %s\n", $currentid);

				
$q=sprintf("select * from tbl_car where id=’%s’",mysql_real_escape_string($currentid));
$result= mysql_query($q);


while ($row = mysql_fetch_assoc($result)) {
}
?>

the error in mysql_fetch_assoc

Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource in

i tried to add @ like this

while ($row = @mysql_fetch_assoc($result))

but no results


can anyone help me please???

Recommended Answers

You're escaping things twice, remove the first one.

Jump to Post

Why you using sprintf anyway?
You're also using weird single quotes: id=’%s’
Use normal single quotes: id='%s'

Jump to Post

All 5 Replies

You're escaping things twice, remove the first one.

commented: yes +15
Member Avatar

Why you using sprintf anyway?
You're also using weird single quotes: id=’%s’
Use normal single quotes: id='%s'

commented: yes +15

thank you very much

it's working now

the problem id=’%s’

the correct single quotes id='%s'

thanks you again

Remember not to escape it twice, it's not safer than not.

Member Avatar

Agree with twiss.

If this is solved, mark it so with the link below.

commented: Now i know why you have so many solved threads +8
Be a part of the DaniWeb community

We're a friendly, industry-focused community of 1.20 million developers, IT pros, digital marketers, and technology enthusiasts learning and sharing knowledge.