Posted by Kevin Raleigh on 07/20/07 01:35

I took care of my sql injection problem but all my strings are quoted now as
you know.

So how do I prep my username which has quotes in the db but not in my code,
so that I can compare it to the db?
// makes sure they filled it in
if(!$_POST['username'] || !$_POST['pass']) {
die('You did not fill in a required field.');
}

// checks it against the database

$check = mysql_query("SELECT * FROM user WHERE username =
'".$_POST['username']."'")or die(mysql_error());

I tried addslashes();
and I tried to use the mysql_real_escape_string($userName)
but ...
insight appreciated
thank you
kevin

• Next in forum: Searching BLOB fields
• Prev in forum: Re: date matching for b-days
• Thread view: preping data for compare after using sqls mysql_real_escape_string($userName)

[Reply to this message]