-1

When I'm trying to make an SQL query. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'foo@gmail.com\' LIMIT 1' at line 1. The finished query:

SELECT * FROM `members` WHERE `email` = \'foo@gmail.com\' LIMIT 1
$sql = "SELECT * FROM `members` WHERE `email` = '$email' LIMIT 1";

Am I missing something?

John Woo
  • 258,903
  • 69
  • 498
  • 492
user1681891
  • 281
  • 1
  • 4
  • 12
  • The manual in question: http://dev.mysql.com/doc/refman/5.0/en/string-literals.html – elclanrs Dec 13 '12 at 01:44
  • Please not that it's `$email` that should be passed through `mysql_real_escape_string` and not the full query. Even better however is using prepared statements. – Jim Dec 13 '12 at 02:22

2 Answers2

4

this query will totally execute fine,

$sql = "SELECT * FROM `members` WHERE `email` = '$email' LIMIT 1";

but don't escape the single quote on the query itself since string must be enclosed with single quotes, remove the \

SELECT * FROM `members` WHERE `email` = 'foo@gmail.com' LIMIT 1

Please be remninded the your code in PHP is vulnerable with SQL Injection, please read the article below to protect yourself against SQL Injection

Community
  • 1
  • 1
John Woo
  • 258,903
  • 69
  • 498
  • 492
1

Why do you have those \ around the email value? That is where your syntax error is, as is readily apparent from the error message you received.

Mike Brant
  • 70,514
  • 10
  • 99
  • 103
  • I was printing out the query after I passed it through msql_real_escape_string. – user1681891 Dec 13 '12 at 01:48
  • @user1681891 actually using `mysql_real_escape_string` doesn't full protect you from sql injection, see this http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string/5741264#5741264 – John Woo Dec 13 '12 at 02:10
  • @user1681891 You don't escape the entire query, you just escape the variable data that you insert. – Mike Brant Dec 13 '12 at 16:26