...

View Full Version : Quotes messing up a mysql_query



Jon W
03-05-2009, 04:08 AM
Okay, so I'm having a little problem. I'm not to sure how I fix this, but I'm am hoping that someone can explain to me how I can fix this. Okay, so I was making a login on my site. The site URL http://mechfans.sytes.net/login.php when I type in a username doesn't matter which and say if you put in a quote as the password I get this error: Server Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"""' at line 1. I'm not to sure how I can fix this. So I'll give you mysql_query that I have for that and hopefully someone can give me the answer. :)



mysql_query("SELECT user_id, username, password, user_level, active, last_ip FROM users WHERE username=\"$username\" AND password=\"$password\"") or die("Server Error: " . mysql_error()); If you want then go to the page and try it for yourself.

Page: http://mechfans.sytes.net/login.php

Put a random username in and put a quote as a password and click "login".

Thanks,
Jon W

BubikolRamios
03-05-2009, 07:32 AM
not familiar with this syntax bu think u need to insert something like this:




='\"$password\"'


plus replace any ' inside password with escaped '

oesxyl
03-05-2009, 07:41 AM
you must validate the data you get from users before you send them to mysql.

http://www.php.net/manual/en/security.database.sql-injection.php

best regards



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum