mysql_real_escape_string w/ session data

[seaweed]

I'm using the POST method to pass data to a script, and then putting the data into a $_SESSION array. Ultimately the data will be put into an SQL database, so i want to cleanse it with mysql_real_escape_string, but when I use mysql_real_escape_string and then put the data into the $_SESSION array, all of the variables are empty.

 

For example, this works:

 

$prod_id = $_POST['prod_id'];
$prod_qty = $_POST['prod_qty'];
$prod_size = $_POST['prod_size'];
$prod_color = $_POST['prod_color']; 

$_SESSION['CART']['ITEMS'][] = array(
   'prod_id' => $prod_id,
   'prod_qty' => $prod_qty,
   'prod_size' => $prod_size,
   'prod_color' => $prod_color
);

 

 

This does not:

 

$prod_id = mysql_real_escape_string($_POST['prod_id']);
$prod_qty = mysql_real_escape_string($_POST['prod_qty']);
$prod_size = mysql_real_escape_string($_POST['prod_size']);
$prod_color = mysql_real_escape_string($_POST['prod_color']); 

$_SESSION['CART']['ITEMS'][] = array(
   'prod_id' => $prod_id,
   'prod_qty' => $prod_qty,
   'prod_size' => $prod_size,
   'prod_color' => $prod_color
);

 

 

Is there a reason why?

 

Is there a better way to clean the data before I stuff it in the session?

 

[Ken2k7]

mysql_real_escape_string() is a MySQL library function. You need to have a mysql connection first. Do you have that?

[seaweed]

Yeah, for the user login.

[seaweed]

but... I need to switch over to persistent connection with mysql_pconnect because that will stay connected from page to page, correct? Even if I do not re-connect every page that needs it?

 

 

[Mchl]

Use mysql_real_escape_string right before INSERTing the data into database. There's no need to escape it before, and as you can see you run into all kinds of problems with that. Not to mention you risk double (or multiple) escaping same data.

 

mysql_connect has to be called in each script that queries database.

 

mysql_pconnect does not work as most people expect it to. Read the comments on the manual page.