jbwebdesign Posted November 18, 2010 Report Share Posted November 18, 2010 okay, i had a problem with one of my scripts..... it's interesting and i thought that i should post it...... i have a field in my database the contains characters such as {#blah} I want to validate my form so that if the field {#blah} already exists then show an error string. the problem is that when i create a query for mysql such as: //$_POST['variable'] = '{#blah}'; $query = "SELECT * FROM ". TABLE_VARIABLES ." WHERE variable = ".$_POST['variable']; it doesn't work and i believe it's because of the special characters being used {} so i'm wondering, how would i fix this problem? would i have to use mysql_real_escape_string function? Quote Link to comment Share on other sites More sharing options...
falkencreative Posted November 18, 2010 Report Share Posted November 18, 2010 When you say "it doesn't work" you mean you are getting 0 results? I would open PHPMyAdmin and work with the query in the "SQL" tab until it does work. One thing to check -- you may need single quotes around your "$_POST['variable']". Another thing to check... I would make sure you are properly escaping any input -- both when you create new records within the TABLE_VARIABLES table, and when you try to select data from that table. Placing unescaped $_POST data directly in your database query is just asking for trouble, even if the public will never see this part of the application. Also, if you escape the data when you create the record, but don't escape the data when you try to select records, it may result in 0 results. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.