Certain screen names mess up my query

[pugs421]

a user enters a screen name. after that I am able to set up a query to
"SELECT * FROM setup WHERE screen_name = $screen_name"

I can then pull data for that user with no problems unless certain charaters are used in the screen name. For testing purposes I just hit a bunch of characters, but as an example if the use enters in !"£$%^&*(&))_-=+/.,';[]{} as a screen name, no records are retrieved. If they enter a normal name like joe123 everything works fine. How do I avoid a possible problem cause by a user entering in strange infomation?

I am already using htmlspecialchars($screen_name) because I know one of the users for this members site is D<O>A, and without the htmlspecialchars() his name was retrieved as DA.

 

[danielhozac]

All strings must be put in quotes in SQL.
[tt]&quot;SELECT * FROM setup WHERE screen_name = '$screen_name'&quot;[/tt]

//Daniel

 

[pugs421]

Sorry i typed it worng. Thats not the problem because everything works fine excpet when someone enters a strange username with many special characters in it.

 

[danielhozac]

What part of the querying process is it that fails? Does the query work but it doesn't return any records?

//Daniel

 

[namida]

' and backslash \ will destroy things. You have to change it to \' and \\ to query

OTherwise !@^ etc should work fine if you use the enclosing quotes.

Regards,

Namida

 

[pugs421]

Yeah it just doesnt return any results when I use a screen name like listed above. Is there a way to change it to \' and \\ for the query since the username is user entered. (newbie)

 

[danielhozac]

See

http://www.php.net/manual/en/function.mysql-escape-string.php

//Daniel

 

[pugs421]

I kept testing to see exactly which characters cause problems. the screen name !£$%^*())_-=+.,;[]{}? works fine. these characters give the problem when in the screen name '&quot;&\/
I'll try the mysql_escape_string and see how that works. Thanks