Unsure how to escape this

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
SBro
Forum Commoner
Posts: 98
Joined: Tue Sep 30, 2003 10:06 pm

Unsure how to escape this

Post by SBro »

I have the following function (pretty much from php.net example) that I run for all queries

Code: Select all

function smart_quote($value) {
		if (get_magic_quotes_gpc()) $value = stripslashes($value);
		else $value = mysql_real_escape_string($value);
		return trim($value);
	}
It all works fine, but now that I'm building a search page, if a user inputs (in the keyword field) something with quotes ie "php" then the query will fail because of the wildcard in the LIKE clause:

Code: Select all

$sql = sprintf('SELECT * FROM product WHERE category = %s AND %s LIKE "%%%s%%"', 
						db::smart_quote($cat_id), 
						db::smart_quote($search_by), 
						db::smart_quote($keyword)
						);
I'm not sure how to get around this, as I obviously want to still keep my code 'safe' but don't want it to fail if someone enters a search in this fashion, any ideas ?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Why don't you try binding the parameters?
SBro
Forum Commoner
Posts: 98
Joined: Tue Sep 30, 2003 10:06 pm

Post by SBro »

Does mysql support binding ?
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

turn the quotes into entities if they're not needed in the search results.
Post Reply