correct of use of quoteSmart DB_Common Pear

Question

I am trying to use quoteSmart to safely format my input, however it always comes back as empty when I am using quoteSmart leading me to assume that I am doing something wrong or not calling it in the right way ?

$user= new DataObjects_user;
$password=mysql_escape_string(($password));

DB_DataObject::debugLevel(5);

$username=$_REQUEST['username'];
$password=encryptpass($_REQUEST['password']);

$user->query("select activated,userid,email,username from {$user->__table} where (username = ".$user->quoteSmart($username)." or email=".$user->quoteSmart($username).") AND password =".$user->quoteSmart($password)." ");

if($user->fetch())
{ //more code here

Thanks

score 0 · Answer 1 · answered Sep 03 '13 at 05:57

0

Please try to understand how to use DB_DataObjects correctly. You are not supposed to write your own SQL with them.

If you only want to send your own SQL, use PDO instead.

answered Sep 03 '13 at 05:57

cweiske

30,033
14
133
194

correct of use of quoteSmart DB_Common Pear

1 Answers1