Page 1 of 1

sql injection question

Posted: Fri Jun 15, 2007 4:49 pm
by tcl4p
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


I've been reading about preventing sql injection by using the function below.  Problem is when I run the function below and the escape characters are added for instance the value '2007-06-01' now becomes \'2007-06-01\' , but when  passed to mysql I now get a syntax error where the \ was placed.  I'm sure I missing something, but don't know what it is.   Is there some setting on mysql that has to be set to handle the escape characters?  I'm using mysql 5.0 and php 5.0.

Thanks

Code: Select all

function sql_quote( $value )
{
    if( get_magic_quotes_gpc() )
    {
          $value = stripslashes( $value );
    }
    //check if this function exists
    if( function_exists( "mysql_real_escape_string" ) )
    {
          $value = mysql_real_escape_string( $value );
    }
    //for PHP version < 4.3.0 use addslashes
    else
    {
          $value = addslashes( $value );
    }
    return $value;
}

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Fri Jun 15, 2007 5:21 pm
by feyd
You're passing in a string with the surrounding quotes already attached?