Posted by Kevin Raleigh on 07/20/07 04:33

"Kevin Raleigh" <kraleigh@sbcglobal.net> wrote in message
news:5bydnU4QCKjvjT3bnZ2dnUVZ_vmlnZ2d@giganews.com...
> I took care of my sql injection problem but all my strings are quoted now
as
> you know.
>
> So how do I prep my username which has quotes in the db but not in my
code,
> so that I can compare it to the db?
> // makes sure they filled it in
> if(!$_POST['username'] || !$_POST['pass']) {
> die('You did not fill in a required field.');
> }
>
> // checks it against the database
>
> $check = mysql_query("SELECT * FROM user WHERE username =
> '".$_POST['username']."'")or die(mysql_error());
>
> I tried addslashes();
> and I tried to use the mysql_real_escape_string($userName)
> but ...
> insight appreciated
> thank you
> kevin
>
>

Problem resolved, and it was a problem...

Thank You
Kevin

• Next in forum: can't find my error need fresh eyes
• Prev in forum: Re: Searching BLOB fields
• Thread view: Re: preping data for compare after using sqls mysql_real_escape_string($userName)

[Reply to this message]