Selecting from a database

Ask about general coding issues or problems here.

Moderators: egami, macek, gesf

Post Reply
New php-forum User
New php-forum User
Posts: 40
Joined: Fri Aug 09, 2002 11:53 am
Location: Rochester, NY

Sat Feb 22, 2003 1:20 pm

Hi, I have a quick and easy question. I have a username and password script that has a problem when you select from it. If someone has a ' in it, for example O'brien, there's an SQL error. Here's a test page to show you:

For the username, put: O'brien
There will be an error. How can I fix that? The PHP code I used is below:

Code: Select all



if(!isset($submit)) {

echo "<form method=POST action=$PHP_SELF>
Username: <input type=text name=username><br>
<input type=submit name=submit value=submit>";

} else if(isset($submit) && !empty($username))) {

$sql = "SELECT * FROM auth WHERE username = '$username'";
$result = @mysql_query($sql) or die(mysql_error());

if(mysql_num_rows($result) == "1") {

echo "<b>Successfully logged in!! - $username</b>";




I thank you very for, I really appreciate it!!

Ken Cooper
Thanks for your help!

User avatar
Posts: 1240
Joined: Thu Jun 20, 2002 10:14 pm
Location: Ukraine, Crimea, Simferopol

Sun Feb 23, 2003 5:12 am

All what i may say to you magic quotas only magic quotas
"Sex,Drugs and Rock&Roll " replaced at "Sucks,Bugs and Plug&Play";

User avatar
Posts: 826
Joined: Tue Jan 21, 2003 10:42 pm
Location: Michigan USA

Sun Feb 23, 2003 11:59 am

put the variable that you are posting in addslashes()

this will add the appropriate slashes. also use mysql_escape_string() so make sure it is mysql safe.

syntax for that would be

Code: Select all

$varuable = mysql_escape_string(addslashes($variable));

Post Reply