Warning: mysql_real_escape_string()

[pahunrepublic]

I tried to put some protection to this code:

<?php 
include_once 'dbinfo.php';
if(isset($_POST['kuldes']))
{
$name = trim($_POST['nev']);
$username = $_POST['felh_nev'];
$password = $_POST['jelszo'];
$email = $_POST['email'];
$phone = $_POST['telefon'];
$gender = $_POST['sex'];
$hobby = $_POST['hobby'];
$regfelt = $_POST['regfelt'];
//*for($i = 0; $i < count($hobby); $i++) {
//$h = $hobby[$i];
//This is replacing the hobby value in $h each time you go through the loop. So you only get the last value in the array.
//MySQL Injection protection
$name = strip_tags($name);
$name = mysql_real_escape_string($name);
$name = stripslashes($name);
$username = strip_tags($username);
$email = strip_tags($email);
$phone = strip_tags($phone);
//$memip = $_SERVER['REMOTE_ADDR'];
$date = date("d-m-Y");
if($name == NULL || $username == NULL || $password == NULL || $email == NULL || $phone == NULL || $gender == NULL)
{
echo "Please complete the form below or one of the boxes is empty.";
}
else
{
if(strlen($username) <= 3 || strlen($username) >= 30){
$final_report.="Your username must be between 3 and 30 characters..";
}
else
{
$select_dbase="SELECT * FROM users WHERE username='$username'";
$result=mysqli_query($connect, $select_dbase);
if(mysqli_num_rows($result) != 0){
	$final_report.="The username is already in use!";  
	}
else
{ 
if(strlen($password) <= 6 || strlen($password) >= 12){
$final_report.="Your password must be between 6 and 12 digits and characters..";
}
else
{
if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)){ 
$final_report.="Your email address was not valid..";
}
else
{
if(!eregi("^[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,10}$",$phone)){
$final_report.="Phone number is invalid. Only numbers with hyphen. Allowed format: countrycode-areacode-phonenumber";
}
else
{
if(!isset($hobby)){
$final_report.="Youd didn't select any hobbies";
}
else
{
if(!isset($regfelt)){
$final_report.="You didn't accept the terms";
}
else
{
//The implode() function returns a string from the elements of an array.
$h = implode(",", $hobby);
$insert_dbase = 'INSERT INTO users(name,sex,email,phone_number,username,password,hobby) VALUES("' . $name . '","' . $gender . '","' . $email . '",
"' . $phone . '","' . $username . '","' . md5($_POST['jelszo']) . '","'. $h .'")';
mysqli_query($connect,$insert_dbase); 
header("Location: login_form.php");
exit;
}}}}}}}}}
/*You are using the $_POST values without any validation or protection. This can leave you open to sql injection attacks as well as possible xss attacks.  For SQL protection, look at mysql_real_escape(). For the xss, you need to validate the contents of the fields. Just because you put a SELECT list on the form with the name 'hobby' does not mean that the user submitted something from that list. It is very easy to send something completely unexpected. This applies to ALL input from the browser. Use PDO.*/
/*$v1 = 'unchecked';
$v2 = 'unchecked';
$selected_radio = $gender;
if ($selected_radio = 'no') {
$v1 = 'checked';}
else if ($selected_radio = 'ferfi') {
$v2 = 'checked';}*/
?>
<h1>Registration Form</h1>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" name="registration_form" method="POST">
<p>Name: <input type="text" name="nev" value="<?php echo (isset($name) ? $name : ''); //ha $name változó meg lett adva akkor írja ki amit beírt ha nem akkor ''?>" size=25></p>
<p>Username: <input type="text"  name="felh_nev" value="<?php echo (isset($username) ? $username : ''); ?>" size=10></p>
  <p>Password: <input type="password" name="jelszo" size=10></p>
  <!--<p>Password again:<input type="password" name="password_confirmation"></p>-->
    <p>E-mail: <input type="text" name="email" value="<?php echo (isset($email) ? $email : ''); ?>"/></p>
    <p>Phone number: <input type="text" name="telefon" value="<?php echo (isset($phone) ? $phone : ''); ?>"/></p>
<p>Sex: 
       <label><input type="radio" name="sex" value="no" >Female</label>
       <label><input type="radio" name="sex" value="ferfi" >Male</label></p>

<p>Favorite hobbies (Using CTRL you can select more than one):</p>
	<select name="hobby[]" size="4" multiple>
	  <option value="sport">Sport</option>
	  <option value="mozi">Movies</option>
	  <option value="kirandulas">Hiking</option>
	  <option value="olvasas">Reading</option>
  </select>

<!--	<p>Other message:</p>
<textarea name="megjegyzes" cols="40"></textarea>-->

  <p><input name="regfelt" type="checkbox" value="elfogad">I accept the terms!</p>
<p><input name="kuldes" type="submit" value="Submit form">
  <input name="reset" type="reset" value="delete"></p>
<table width="501" border="1">
      <tr>
        <td><?php echo $final_report; ?></td>
      </tr>
    </table>
<p> </p>
</form>

I had no problem with the code until I put this part:

$name = mysql_real_escape_string($name);

It gave me the following error:

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'@'localhost' (using password: NO) in

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in

Anyone can help me why I get this error?

the dbinfo.php's content:

<?php
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass = 'blabla';
$dbname = 'hehehe';
$connect = new mysqli($dbhost, $dbuser, $dbpass, $dbname);
if(!$connect) 
{
die('Connection failed: ' . $mysqli->error());
}
?>

[Alex]

You can't mix and match mysql and mysqli functions. You'll need to use mysqli_real_escape_string.

[pahunrepublic]

The problem is with mysqli_real_escape_string() you have to specify which are the strings that must be escaped. I don't know exactly which are the dangerous strings.

OK, the main idea here is to prevent MySQL injection. The better solution would be PDO statements but I tried to rewrite the above code in PDO but without success. Anyone qho can help me with this?

[Mchl]

You already got helped.

BTW: mysqli also supports prepared statements.