| Posted by Kevin Raleigh on 07/20/07 01:35 
I took care of my sql injection problem but all my strings are quoted now asyou know.
 
 So how do I prep my username which has quotes in the db but not in my code,
 so that I can compare it to the db?
 // makes sure they filled it in
 if(!$_POST['username'] || !$_POST['pass']) {
 die('You did not fill in a required field.');
 }
 
 // checks it against the database
 
 $check = mysql_query("SELECT * FROM user WHERE username =
 '".$_POST['username']."'")or die(mysql_error());
 
 I tried addslashes();
 and I tried to use the mysql_real_escape_string($userName)
 but ...
 insight appreciated
 thank you
 kevin
  Navigation: [Reply to this message] |