[SOLVED] mysql_real_escape_string() issue?

[Solarpitch]

Hey,

 

I'm currently trying to use the  mysql_real_escape_string() function to secure my scripts but when I apply it to a variable, the variables becomes blank when the query is run.

 

<?php

//Sample of my login script...

$user = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['password']);

//Pass into the function to check the user credentials

        $auth = auth_admin($user, $pass);



..........

//The function itself...

       function auth_admin($username, $password)
{

dbconnect();

echo $query = "SELECT * FROM club_data WHERE username = '" .$username . "' AND password = '" .  $password . "'";
$result = mysql_query($query);

if(!$result)
{
echo "Unable to run query.";
exit;
}

$row = mysql_fetch_row($result);
$count = $row[10];

if ($count > 0)
{
 $clubid = $row[10];
}
else
{
 $clubid = 0;
}

return $clubid;

}

?>

 

Now the problem is when I echo the sql it appears as..

 

SELECT * FROM club_data WHERE username = '' AND password = ''

 

Any help with this would be great as the site has been victim to some SQL attacks recently.

 

Cheers

[PFMaBiSmAd]

Add the following two lines after your first opening <?php tag -

ini_set ("display_errors", "1");
error_reporting(E_ALL);

[Solarpitch]

Hi,

 

It came back with...

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/site/www/portal/index.php on line 43

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/site/www/portal/index.php on line 43

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/site/www/portal/index.php on line 44

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/site/www/portal/index.php on line 44

 

Could this be something I need to contact the hosting company about?

[phpcodec]

you need to put: "dbconnect();" at the top of the page before mysql_real_escape_string()

[Solarpitch]

I have an file thats includes a DB connection already so a connection is being made. Why would that function reply on a database connection anyway?

[wildteen88]

myql_real_escape_string escapes harmful characters in a string, this function requires a connection to mysql as the escaping is handled by MySQL rather than PHP

[Solarpitch]

Ah I see... didnt know that at all... so would it be better to have it in the actual query itself like this....

 

<?php

dbconnect();

echo $query = "SELECT * FROM club_data WHERE username = '" .mysql_real_escape_string($username) . "' AND password = '" .  mysql_real_escape_string($password) . "'";
$result = mysql_query($query);

?>

 

Would this work too and it it considered good practice?

 

 

[wildteen88]

mysql_real_escape_string can be called anywhere in your script provided there is a valid mysql connection established. You do not need to call it specifically in a query.