PHP / MySQL Error Querying Email Address

Question

Hi,

I've been trying to query an email address using the following statement, however after hours of trying to escape the string successfully I've accepted defeat.

The query I am using is: SELECT id, email FROM user WHERE email = '$email'

That gives me an error:

MySQL Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '@gmail.com' at line 1

I'm sure it's simple.. I just can't seem to find an answer anywhere that works.

UPDATE #1

The code that I have been using is:

$email = "[email protected]";

$sql = "SELECT id, email FROM user WHERE email = '$email'";

$result = mysql_query($sql) or die('Unable to connect: '.mysql_error());

UPDATE #2

The email comes from the Facebook connect API.

Answer 1

This is probably because you the E-Mail address that you get from Facebook connect contains quotes, e.g. something like

"Harry"@gmail.com  
"[email protected]"

when pulling data from a web service (or from anywhere else), you need to escape the data to prevent SQL injection, and garbled queries like in your situation.

In your case:

$email = mysql_real_escape_string($email);