[Resolved]PHP problem with '

[naruponk]

Code:

$sql = "SELECT mem_id FROM t_user where user_name='$musername' and user_password='$pwd'";
$result = mysql_db_query($db, $sql);
$row = mysql_fetch_array($result);

I will got an error if any input contain '
Why this happen, I'm sure that this code should work fine

Is there any problem about PHP version?

[CornedBee]

Think about it: the $ expression in the string is replaced by the content of the variable. Take the resulting SQL query and search for what's wrong with it.

The issue is the root of the security problem called SQL injection. The direct solution is to use the addslashes() function to escape the parameter so that you can use it. However, this solution is error-prone. It is better not to use the old mysql API and instead use any of several better DB APIs that support prepared statements. Prepared statements contain parameter placeholders that you can then assign values to, and the API takes care of escaping the parameters.
APIs that support PSs are:
MySQLi (MySQL improved): MySQL-only, PHP5-only
PEAR::MDB2: Cross-DB, cross-version. See http://pear.php.net/ for details. Look for MDB2.
PDO (PHP Data Objects): Cross-DB, PHP5-only. Comes by default with PHP5.1. Preferred for PHP5-only development.

[penagate]

Also, magic quotes should be on by default, you or your host must have disabled them somehow. Buuuuuut, I second CB's suggestion.

[CornedBee]

Magic quotes are evil. They disguise the problem, instead of solving it.

[naruponk]

Thanks for suggestion

[modpluz]

you are getting the error because single quotes(') is a reserved SQL character but it is possible you escape it with a backslash.

like this

PHP Code:

$string = "that's it";
$string = str_replace("'", "\'", $string); 


[penagate]

Read CB's post again. If you must manually replace them, use addslashes(). But you should be using prepared statements instead so that you avoid all this nonsense.

[visualAd]

you are getting the error because single quotes(') is a reserved SQL character but it is possible you escape it with a backslash.

like this

PHP Code:

$string = "that's it";
$string = str_replace("'", "\'", $string); 


At the very least you should use a database specific routine such as mysql_escape_string(). Of databases use different escape sequences. Access and MSql for example use '' and VFP doesn't even have them, so they must be replaced in SQL using ' + CHAR("'") + '

[naruponk]

Code:

$sql = "SELECT mem_id FROM t_user where user_name=". '"'. $musername. '"'. ' and user_password='. '"'. $pwd. '"';

I just now using this one to fastly resolving problem
Any one think is there any problem?

[penagate]

You haven't solved the problem at all. You've just made it so double quotes will stuff it up rather than single quotes.

[CornedBee]

Why is it that people so desperately search for wrong AND hard ways to solve problems, when the easy and correct way is laid out for them?

Code:

require_once('MDB2.php');

$dsn = 'mysql://user:password@localhost/database';
$db =& MDB2::connect($dsn);

$query =& $db->prepare('SELECT mem_id FROM t_user WHERE user_name = ? AND user_password =?');
$results =& $query->execute(array($musername, $pwd));

[naruponk]

Above reply are very usefully and works fine.
but last one is wonder.

I will try with this,

Thanks for all helps