I have the following function (pretty much from php.net example) that I run for all queries
Code: Select all
function smart_quote($value) {
if (get_magic_quotes_gpc()) $value = stripslashes($value);
else $value = mysql_real_escape_string($value);
return trim($value);
}
It all works fine, but now that I'm building a search page, if a user inputs (in the keyword field) something with quotes ie "php" then the query will fail because of the wildcard in the LIKE clause:
Code: Select all
$sql = sprintf('SELECT * FROM product WHERE category = %s AND %s LIKE "%%%s%%"',
db::smart_quote($cat_id),
db::smart_quote($search_by),
db::smart_quote($keyword)
);
I'm not sure how to get around this, as I obviously want to still keep my code 'safe' but don't want it to fail if someone enters a search in this fashion, any ideas ?