• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 169
  • Last Modified:

mysql_query question

i'm trying to do this:
      $query = "SELECT * FROM $tbl_name WHERE Date = '$this_date'";
which outputs this:
    SELECT * FROM tblMyTable WHERE Date = '2007-03-27'


and of course that works fine...

 however when i do this:
     $query = "SELECT * FROM  %s Where Date = %s";
     $query = mysql_real_escape_string(sprintf($query, $tbl_name, $this_date));

it outputs this:
    SELECT * FROM tblMyTable WHERE Date = \'2007-03-27\'

and that doesn't work


i thought that was the safe way to handle queries.

is that not ok because...... when i call mysql_query it will escape the quotes again?
so if i want to be careful, i should use mysql_real_escape_string directly on the variables i'm worried about and do NOT escape the query string.

thanks VERY MUCH for your help




      
0
tjazzvibe
Asked:
tjazzvibe
1 Solution
 
steelseth12Commented:
you should use mysql_real_escape_string on each field and not on the entire query

$query = "SELECT * FROM  %s Where Date = %s";
     $query = sprintf($query,
     mysql_real_escape_string($tbl_name),
     mysql_real_escape_string( $this_date));
0
 
tjazzvibeAuthor Commented:
of course. duh. thanks so much
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now