Posted by Kevin Raleigh on 07/20/07 04:33

"Kevin Raleigh" <kraleigh@sbcglobal.net> wrote in message
news:5bydnU4QCKjvjT3bnZ2dnUVZ_vmlnZ2d@giganews.com...
> I took care of my sql injection problem but all my strings are quoted now
as
> you know.
>
> So how do I prep my username which has quotes in the db but not in my
code,
> so that I can compare it to the db?
> // makes sure they filled it in
> if(!$_POST['username'] || !$_POST['pass']) {
> die('You did not fill in a required field.');
> }
>
> // checks it against the database
>
> $check = mysql_query("SELECT * FROM user WHERE username =
> '".$_POST['username']."'")or die(mysql_error());
>
> I tried addslashes();
> and I tried to use the mysql_real_escape_string($userName)
> but ...
> insight appreciated
> thank you
> kevin
>
>

Problem resolved, and it was a problem...

Thank You
Kevin

[Back to original message]