Code: Select all
$string = "Chris'";
$result = mysql_query("SELECT * FROM `data` WHERE `value` = '".$string."'");Moderator: General Moderators
Code: Select all
$string = "Chris'";
$result = mysql_query("SELECT * FROM `data` WHERE `value` = '".$string."'");Code: Select all
echo "Magic Quotes GPC is turned " . (get_magic_quotes_gpc()) ? 'ON' : 'OFF';If they were on, then it would have gone into the database from just one apostrophe.astions wrote:What does this say?
Code: Select all
echo "Magic Quotes GPC is turned " . (get_magic_quotes_gpc()) ? 'ON' : 'OFF';
Code: Select all
SELECT * FROM `data` WHERE `value` = 'Chris\\''MySQL wrote: #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Chris\\'' at line 1
I was referring to when he didn't use addslashes (in the example). Magic quotes exists as a method of preventing SQL injections for those who don't know how to do it themselves.astions wrote:Ya think?
Code: Select all
SELECT * FROM `data` WHERE `value` = 'Chris\\''MySQL wrote: #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Chris\\'' at line 1
He was using addslashes() per his comment about already escaping the variable. This combined with the fact that get_magic_quotes_gpc() is most likely turned on, resulted in the variable being escaped twice, effectively unescaping the single quote, which caused the query to fail.superdezign wrote:I was referring to when he didn't use addslashes (in the example). Magic quotes exists as a method of preventing SQL injections for those who don't know how to do it themselves.