preping data for compare after using sqls mysql_real_escape_string($userName)

#1 (**permalink**) 07-20-2007

I took care of my sql injection problem but all my strings are quoted now as
you know.

So how do I prep my username which has quotes in the db but not in my code,
so that I can compare it to the db?
// makes sure they filled it in
if(!$_POST['username'] || !$_POST['pass']) {
die('You did not fill in a required field.');
}

// checks it against the database

$check = mysql_query("SELECT * FROM user WHERE username =
'".$_POST['username']."'")or die(mysql_error());

I tried addslashes();
and I tried to use the mysql_real_escape_string($userName)
but ...
insight appreciated
thank you
kevin

#2 (**permalink**) 07-20-2007

"Kevin Raleigh" <kraleigh@sbcglobal.net> wrote in message
news:5bydnU4QCKjvjT3bnZ2dnUVZ_vmlnZ2d@giganews.com ...
> I took care of my sql injection problem but all my strings are quoted now
as
> you know.
>
> So how do I prep my username which has quotes in the db but not in my
code,
> so that I can compare it to the db?
> // makes sure they filled it in
> if(!$_POST['username'] || !$_POST['pass']) {
> die('You did not fill in a required field.');
> }
>
> // checks it against the database
>
> $check = mysql_query("SELECT * FROM user WHERE username =
> '".$_POST['username']."'")or die(mysql_error());
>
> I tried addslashes();
> and I tried to use the mysql_real_escape_string($userName)
> but ...
> insight appreciated
> thank you
> kevin
>
>

Problem resolved, and it was a problem...

Thank You
Kevin

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode