Page 1 of 1

Unsure how to escape this

Posted: Sun Jul 17, 2005 10:02 pm
by SBro
I have the following function (pretty much from php.net example) that I run for all queries

Code: Select all

function smart_quote($value) {
		if (get_magic_quotes_gpc()) $value = stripslashes($value);
		else $value = mysql_real_escape_string($value);
		return trim($value);
	}
It all works fine, but now that I'm building a search page, if a user inputs (in the keyword field) something with quotes ie "php" then the query will fail because of the wildcard in the LIKE clause:

Code: Select all

$sql = sprintf('SELECT * FROM product WHERE category = %s AND %s LIKE "%%%s%%"', 
						db::smart_quote($cat_id), 
						db::smart_quote($search_by), 
						db::smart_quote($keyword)
						);
I'm not sure how to get around this, as I obviously want to still keep my code 'safe' but don't want it to fail if someone enters a search in this fashion, any ideas ?

Posted: Sun Jul 17, 2005 10:50 pm
by Ambush Commander
Why don't you try binding the parameters?

Posted: Sun Jul 17, 2005 10:56 pm
by SBro
Does mysql support binding ?

Posted: Sun Jul 17, 2005 10:58 pm
by s.dot
turn the quotes into entities if they're not needed in the search results.