View Full Version : Quotes messing up a mysql_query

Jon W
03-05-2009, 03:08 AM
Okay, so I'm having a little problem. I'm not to sure how I fix this, but I'm am hoping that someone can explain to me how I can fix this. Okay, so I was making a login on my site. The site URL http://mechfans.sytes.net/login.php when I type in a username doesn't matter which and say if you put in a quote as the password I get this error: Server Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"""' at line 1. I'm not to sure how I can fix this. So I'll give you mysql_query that I have for that and hopefully someone can give me the answer. :)

mysql_query("SELECT user_id, username, password, user_level, active, last_ip FROM users WHERE username=\"$username\" AND password=\"$password\"") or die("Server Error: " . mysql_error()); If you want then go to the page and try it for yourself.

Page: http://mechfans.sytes.net/login.php

Put a random username in and put a quote as a password and click "login".

Jon W

03-05-2009, 06:32 AM
not familiar with this syntax bu think u need to insert something like this:


plus replace any ' inside password with escaped '

03-05-2009, 06:41 AM
you must validate the data you get from users before you send them to mysql.


best regards