I have an email address mike.o'[email protected] stored in a posted variable and I want a select statement in mysql to validate the existance of the email address and retrieve a password from my table. My query gets stuck at the apostophe when it trys to execute. eg "SELECT pwd FROM tbl_users WHERE userName = '$email'"; Any assistance will be much appreciated, thanks in advance.
views:
134answers:
3
+1
A:
You should use mysql_real_escape_string to quote the value. In fact, you should use it every time you insert a value in a query, if you dont, you are not only open to errors, also to SQL Injection.
You should use it like this:
if ( get_magic_quotes_gpc() ) {
$email = stripslashes($email);
}
$quoted_email = mysql_real_escape_string($email, $db_connection);
$query = "SELECT pwd FROM tbl_users WHERE userName='".$quoted_email."'";
Edit: If PHP has magic quotes on, all superglobals values ( values in $_GET, $_POST, ... ) are quoted with addslashes which sucks. You should consider turning it off.
Juan
2010-02-08 03:52:29
I tried it and get this when echoing my query, without result (naturally)SELECT pwd FROM tbl_users WHERE userName = 'mike.o\\\'[email protected]'
Michael
2010-02-08 03:55:11
I'm thinking you have magic quotes on. Gonna do an edit on that now.
Juan
2010-02-08 03:59:42
ufortunately the same result as above :)
Michael
2010-02-08 04:08:36
yes magic quotes are on - sholuld I turn them off?
Michael
2010-02-08 04:10:14
Yes, you should, it's a deprecated feature and it makes you do everything twice. It's strange it doesnt work.
Juan
2010-02-08 04:17:25
I'm getting this now SELECT pwd FROM tbl_users WHERE userName = 'mike.o\'[email protected]'. I checked the database and the email address is correctly stored. I think it's the apostrophe... somehow
Michael
2010-02-08 04:24:52
I turned off magic quotes before trying again
Michael
2010-02-08 04:25:24
That query seems valid. I just tested retrieving a value with an apostrophe in it with that quoting and it worked. You should check if mysql throws any errors with mysql_error ( http://ar2.php.net/manual/en/function.mysql-error.php )
Juan
2010-02-08 04:44:15
Thanks for trying - I'll keep battling here to see if I can see it, cheers
Michael
2010-02-08 06:28:52
A:
Use mysql_real_escape_string, for example:
$email = mysql_real_escape_string($email);
Note this should be done regardless when using variable strings in unprepared SQL to prevent SQL injection vulnerabilities.
enbuyukfener
2010-02-08 03:52:34
Using it but get this SELECT pwd FROM tbl_users WHERE userName = 'mike.o\'[email protected]'
Michael
2010-02-08 04:16:04
A:
How about wrapping $email in PHP's mysql_real_escape_string? Sanitizing all your user generated input is a good idea..
http://us.php.net/manual/en/function.mysql-real-escape-string.php
EDIT:
Mike "\" is the MySQL escape character. Here is the MySQL 5.0's documentation on strings.
mysql_real_escape_string correctly escapes the email address as 'mike.o\'[email protected]'. Here is a full example:
// Connect
$link = mysql_connect('localhost', 'simeon', 'password')
OR die(mysql_error());
$db_selected = mysql_select_db('db', $link);
$email = "mike.o'[email protected]";
// Query
$query = "SELECT email FROM users WHERE email='".mysql_real_escape_string($email)."'";
$result = mysql_query($query);
while ($row = mysql_fetch_assoc($result)) {
echo 'email: '.$row['email']."\n"; // email: mike.o'[email protected]
}
simeonwillbanks
2010-02-08 03:52:53
Using it but get this SELECT pwd FROM tbl_users WHERE userName = 'mike.o\'[email protected]'
Michael
2010-02-08 04:15:41
Michael, as Juan pointed out, please make sure magic quotes are turned off. Above, I've edited my post with a more detailed explanation. Hope this helps.
simeonwillbanks
2010-02-09 16:13:33