Put the query in a var and if any of the values are a string you need change the query to handle that. Something like:

$query = "UPDATE GC SET GCNumber='".$GC."', KEYCODE='".$KEY2."' WHERE KEYCODE='".$_GET['KEY']."'";

mysql_query($query);

BTW - MySQL does not care if you have the ticks arund numbers either.

JAG

My hero.... That makes perfect sense! Thanks.

Make sure to escape your variables!

$query = "UPDATE GC SET GCNumber='".$GC."', KEYCODE='".$KEY2."' WHERE KEYCODE='".[url=http://us2.php.net/manual/en/function.mysql-real-escape-string.php]mysql_real_escape_string[/url]($_GET['KEY'])."'";

:)

The other method works...what's with needing to escape the variables?

**EDIT**

Ahhh, I see. The Key that is doing the replacing is built with PHP caode, uses no user input, and thus has no special characters. But that command is great to know!

If you are using a GET variable without any sanitation being applied to it then you must use mysql_real_escape_string.

You say that the variable content isn't created by a user, however anyone can type something into the url to get the desired SQL Injection through the GET variable.

The GET variable is an md5 of several other operations. There's no way they'd ever successfully enter a value of 32 random letters and numbers that would match an existing record in my table. If they did, they deserve the spoils! But your point is well taken!

It doesn't matter if it matches a column value or not. It is based on how your query is constructed. Hackers can take advantage of this to gain information about your database and even do some damage. Even if the query returns no rows, there query is still executed.

Please read about SQL Injections [us2.php.net]. It is definitely worth your time. If you do not use mysql_real_escape_string, then you are leaving your information out in the open!

I'm not saying you're wrong, it's just that I've browsed these forums (as a noob) for some time now and haven't heard of this before. So, it's new to me.

ok; I was just looking out for you. From one of your previous posts it sounded like you were omitting it because it is "unneeded".

Anyway, good luck with what you are doing ;)

Just curious....

What is the significant of using
mysql_real_escape_string(); and
addslashes();

[edited by: Atomic_Guy at 2:57 pm (utc) on Nov. 19, 2006]

Atomic_Guy,

mysql_real_escape_string [us2.php.net] and mysql_escape_string [us2.php.net] both have slightly different uses than addslashes [us2.php.net].

mysql_real_escape_string and mysql_escape_string both protect from SQL Injection. Read up on the links for more information. If you can, you want to use these functions. If you are using another database other than mysql, there may be other options to escape your query variables.

Addslashes adds slashes to these characters: ' " / NULL

Hope this explains the difference Atomic_Guy ;)

Yes! thank you so much. So it seems its always best to use escapes. But how do you use addslashes in the escape function? for e.g
$description = mysql_real_escape_string($_POST['description']);
where people are likely to use ' " / etc?

Having ' " / in comments going to cause problem with persing?

This line

$description = mysql_real_escape_string($_POST['description']); 

already escapes those characters for you, therefore it is not necessary to escape them again with addslashes.