OneOrZero / PHP Hack needed

[Gatt]

Need some help with this one..

Using LDAP to authenticate users in One||Zero, but come across a problem with a couple of users who have apostrophe's in their names.. (eg: O'Connor) and email addresses..

I need to know how to get PHP to ignore the apostrophe's as its refusing to allow them to logon with the following errors:

LDAP server did not return any users for the specified Username! ... Check the 'LDAP User Search Attribute' in the Moorside High School Server Settings!

and

Invalid query: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'neill',user_name='joneill',email='jo'neill@staff. internal',password='d41d8cd98f0' at line 1

[contink]

take a look at addslashes() to escape the single quotes before you try to use the variable to query the db.

[DarkLight]

As contink said, addslashes should do it for you.

You might want to check over the script for any other instances of that query, as allowing characters like that in the query unescaped is pretty dangerous - depending on your situation.

Best Regards,

[TornUp]

as said above, you should really be stripping all HTML and using addslash() to all your inputs fields, i usualy do it first thing, about a year ago my mate managed to SQL inject the virgin media website. its risky stuff. and in secondary schools and colleges students are becomming more and more clever!