PHP VALUES BLANK mysqli_real_escape_string ISSUE

[PHPOD]

Hi all

 

I have been onto my host and they have asked me to remove mysqli_real_escape_string and change my php code from

 

// $address = mysqli_real_escape_string($link, $_POST['address']);

 

to

 

$address = $_POST['address'];

 

as the values that are being returned form my form are coming out blank.

 

i have had a look at the following work around

 

http://forums.devshed.com/php-development-5/mysql-real-escape-string-returning-empty-string-529228.html

 

 

but after looking at the the PHP site it states that the mysql_escape_string has been deprecated and will be removed form version 6. (see link)

 

http://php.net/manual/en/function.mysql-escape-string.php

 

Could you advise on an alternative to insure that the data that will be inputted to mysql will be safe! 

[PHPOD]

please see

 

http://www.phpfreaks.com/forums/index.php/topic,277509.0.html

 

for more information

 

[cags]

mysql_escape_string is deprecated as you say, the suggested replacement is mysql_real_escape_string but it doesn't seem appropriate in your case anyway as your working with mysqli. Did your webhost suggest that as a permanent solution, or was it a method for diagnosis? Did they give a reason for this happening? Are we to take it that if you do change it as suggested, it then works?

[PHPOD]

Hey cags

 

my webhost suggest this as a permanent solution, they didnt give a reason for this happening i think they dont know themselfs  If i do what they say above it works but this still leaves the security issues 

[evildobbi]

I write in OOP! But what I use is:

 

$_VARIABLE = $ELEMENTCALL->real_escape_string($_VARIABLE);

 

That works fine

[cags]

Whether called Procedurally or via OOP shouldn't make any difference to the behaviour. In most cases calling mysqli_real_escape_string works for people. It's just PHPOD (and a small percentage of other people) that is/are having problems for some reason. I've had a few ideas what might be causing problems, but every time I've checked for extra information it's been as expected/required, not missing anything.

 

You could try changing your code to use a mysqli object rather than calling it procedurally, but I don't see it working any different. You could also try using the mysql_ functions as opposed to the mysqli_ functions, but again, I wouldn't have thought it would make any difference.

 

Have you checked if your server has magic_quotes enabled (phpinfo? Perhaps attempting to double escape is causing problems?!

[Mchl]

Your $link does not seem to be defined within VisitorIP() function.

[cags]

True, but nor is it used in VisitorIP()

[Mchl]

Ahh... yes... I confused brackets...

 

Anyway. var_dump($link); just before using mysqli_real_escape_string to see if it's what it's supposed to be.

You can also var_dump($_POST); to check if the values are there.