EmperorJazzy Posted March 22, 2011 Share Posted March 22, 2011 Morning All, Should be a quick one for the seasoned veterans! I'm learning the in's and out's of sanitizing my variables for input into my database (mysql). The following is my code; $Username = mysql_real_escape_string($_POST['username']); $PWord = mysql_real_escape_string($_POST['pword']); $Email = mysql_real_escape_string($_POST['email']); $Fullname = mysql_real_escape_string($_POST['fullname']); $Address_1 = mysql_real_escape_string($_POST['address_1']); $Address_2 = mysql_real_escape_string($_POST['address_2']); $City = mysql_real_escape_string($_POST['city']); $Zip = mysql_real_escape_string($_POST['zip']); $Country = mysql_real_escape_string($_POST['country']); The following is my output; Error executing INSERT statement - INSERT INTO tblUser(User_Name, Full_Name, Email, Address_1, Address_2, City, Zip, Country, PWord)VALUES ('','','','','','','','','') Any ideas? Also; is mysql_real_escape_string valid for use on all types of input from the input box? Quote Link to comment Share on other sites More sharing options...
Maq Posted March 22, 2011 Share Posted March 22, 2011 The mysql_real_escape_string method would not be causing this. The issue is somewhere else in your code. Are you sure these POST variables have values? Quote Link to comment Share on other sites More sharing options...
AbraCadaver Posted March 22, 2011 Share Posted March 22, 2011 The code you posted looks correct, but mysql_real_escape_string() is not "clearing" the values. Either the post vars are empty or there is something wrong in the query. Hmmm... close to verbatim Quote Link to comment Share on other sites More sharing options...
EmperorJazzy Posted March 22, 2011 Author Share Posted March 22, 2011 I thought as much..... I retried the entry page again and got the same output. Will revert to original without the mysql_real_escape_string and retest. Shouldn't have been a coding change but you never know... Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted March 22, 2011 Share Posted March 22, 2011 I'm going to guess you don't have a connection to the mysql server at the time you use mysql_real_escape_string() on the values. Quote Link to comment Share on other sites More sharing options...
EmperorJazzy Posted March 22, 2011 Author Share Posted March 22, 2011 I'm going to guess you don't have a connection to the mysql server at the time you use mysql_real_escape_string() on the values. No, I'm setting the variables first with this code snippet and then opening the connection. Should this be done before using mysql commands? Others: Have reverted and the code works fine, inserts the new user without issue. Thoughts? P.S I'm using mysqli_connect as the connection string command btw. Quote Link to comment Share on other sites More sharing options...
AbraCadaver Posted March 22, 2011 Share Posted March 22, 2011 I'm going to guess you don't have a connection to the mysql server at the time you use mysql_real_escape_string() on the values. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If no connection is found or established, an E_WARNING level error is generated. So, by no arguments that means that it attempts a connect with no username, password, etc. which will most likely fail. So Maq and I were both in error. :'( Quote Link to comment Share on other sites More sharing options...
EmperorJazzy Posted March 22, 2011 Author Share Posted March 22, 2011 I'm going to guess you don't have a connection to the mysql server at the time you use mysql_real_escape_string() on the values. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If no connection is found or established, an E_WARNING level error is generated. So, by no arguments that means that it attempts a connect with no username, password, etc. which will most likely fail. OK; here is the revised code with the connection string the first line. $dbc = mysqli_connect('localhost','dbuser','dbpassword','dbname') or die('Error connecting to dbGeneral'); $Username = mysql_real_escape_string($_POST['username']); $PWord = mysql_real_escape_string($_POST['pword']); $Email = mysql_real_escape_string($_POST['email']); $Fullname = mysql_real_escape_string($_POST['fullname']); $Address_1 = mysql_real_escape_string($_POST['address_1']); $Address_2 = mysql_real_escape_string($_POST['address_2']); $City = mysql_real_escape_string($_POST['city']); $Zip = mysql_real_escape_string($_POST['zip']); $Country = mysql_real_escape_string($_POST['country']); $query = "INSERT INTO tableUserNames(User_Name, Full_Name, Email, Address_1, Address_2, City, Zip, Country, PWord)" . "VALUES ('$Username','$Fullname','$Email','$Address_1','$Address_2','$City','$Zip','$Country','$PWord')"; mysqli_query($dbc, $query) or die('Error executing INSERT statement - ' . $query); I'm not getting an error on the connection string; however, even in this scenario I'm getting empty values. Error executing INSERT statement - INSERT INTO tblUser(User_Name, Full_Name, Email, Address_1, Address_2, City, Zip, Country, PWord)VALUES ('','','','','','','','','') PHP Errors; Sorry only just threw this code in. Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 14 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 14 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 15 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 15 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 16 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 16 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 17 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 17 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 18 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 18 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 19 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 19 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 20 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 20 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 21 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 21 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 22 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 22 Quote Link to comment Share on other sites More sharing options...
Maq Posted March 22, 2011 Share Posted March 22, 2011 So Maq and I were both in error. :'( I didn't even know. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted March 22, 2011 Share Posted March 22, 2011 LOL - No, I'm setting the variables first with this code snippet and then opening the connection. Should this be done before using mysql commands? P.S I'm using mysqli_connect as the connection string command btw. ^^^ Then why aren't you using mysqli_real_escape_string() (after you connect to the database server.) You should be developing and debugging your code on a system with error_reporting set to E_ALL and display_errors set to ON so that php will report and display all the errors it finds. You will save a TON of time. Quote Link to comment Share on other sites More sharing options...
EmperorJazzy Posted March 22, 2011 Author Share Posted March 22, 2011 LOL - No, I'm setting the variables first with this code snippet and then opening the connection. Should this be done before using mysql commands? P.S I'm using mysqli_connect as the connection string command btw. ^^^ Then why aren't you using mysqli_real_escape_string() (after you connect to the database server.) You should be developing and debugging your code on a system with error_reporting set to E_ALL and display_errors set to ON so that php will report and display all the errors it finds. You will save a TON of time. Just switched it on. Thanks PFMaBiSmAd Quote Link to comment Share on other sites More sharing options...
EmperorJazzy Posted March 22, 2011 Author Share Posted March 22, 2011 Still no satisfaction; further ideas? Quote Link to comment Share on other sites More sharing options...
AbraCadaver Posted March 22, 2011 Share Posted March 22, 2011 Did you read: http://us3.php.net/manual/en/mysqli.real-escape-string.php to see what it expects? Quote Link to comment Share on other sites More sharing options...
EmperorJazzy Posted March 22, 2011 Author Share Posted March 22, 2011 Please close thread. Thank you all for your help. mysqli_real_escape_string requires two variables; the connection variable, and the string variable. Once corrected; the strings are parsed escaped. Quote Link to comment Share on other sites More sharing options...
Maq Posted March 22, 2011 Share Posted March 22, 2011 Please close thread. Thank you all for your help. We don't close threads when they are resolved. We used to have a "Topic Solved" button but unfortunately it was lost during the forum upgrade. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.