ajicles Posted August 27, 2010 Share Posted August 27, 2010 Hello I am having a problem trying to write to a database using mysql real escape so there wont be any injection attacks. I trying using myrealescape and it returns errors: Notice: Use of undefined constant messageTo - assumed 'messageTo' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 Notice: Use of undefined constant messageSubject - assumed 'messageSubject' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 Notice: Use of undefined constant messageBody - assumed 'messageBody' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 I add in the single quotes and it doesn't write either. Dreamweaver says that either single quotes or not there is no syntax errors. What going on? I have used it like this before: ('$ID','" . mysql_real_escape_string($_POST[post_content]) . "') and no problems.. ~AJ <?php require_once('connect.php'); if(isset($_COOKIE['user'])){}else{ header( 'Location: members.php'); } if (isset($_POST['sendBtn'])){ $messageFrom = $_COOKIE['user']; $messageTo = $_POST['messageTo']; $hash = $messageTo.$messageFrom.time(); $hash = md5($hash); mysql_select_db("majik"); $sql="INSERT INTO messagesystem(ID, hash, messageTo, messageFrom, messageSubject, messageBody, messageDate, messageRead, messageDelete) VALUES ('','$hash','" . mysql_real_escape_string($_POST['messageTo']) . "','$messageFrom','" . mysql_real_escape_string($_POST['messageSubject']) . "','" . mysql_real_escape_string($_POST['messageBody']) . "','0','0')"; echo '<center>Your message was sent to: '.$messageTo.'</center>'; } ?> Link to comment https://forums.phpfreaks.com/topic/211898-mysql-real-escape/ Share on other sites More sharing options...
ajicles Posted August 27, 2010 Author Share Posted August 27, 2010 Hah never mind I fixed it. I forgot to query and missing a column... Link to comment https://forums.phpfreaks.com/topic/211898-mysql-real-escape/#findComment-1104450 Share on other sites More sharing options...
micah1701 Posted August 27, 2010 Share Posted August 27, 2010 also, mysql_real_escape_string() only works inside the mysql_query(). so doing this wont work: $sql = "INSERT INTO table (col1) VALUES ('".mysql_real_escape_string("my text")."'"; mysql_query($sql); but this will: mysql_query("INSERT INTO table (col1) VALUES ('".mysql_real_escape_string("my text")."')"); someone correct me if i'm wrong Link to comment https://forums.phpfreaks.com/topic/211898-mysql-real-escape/#findComment-1104452 Share on other sites More sharing options...
Alex Posted August 27, 2010 Share Posted August 27, 2010 also, mysql_real_escape_string() only works inside the mysql_query(). so doing this wont work: $sql = "INSERT INTO table (col1) VALUES ('".mysql_real_escape_string("my text")."'"; mysql_query($sql); but this will: mysql_query("INSERT INTO table (col1) VALUES ('".mysql_real_escape_string("my text")."')"); someone correct me if i'm wrong You're wrong. Link to comment https://forums.phpfreaks.com/topic/211898-mysql-real-escape/#findComment-1104453 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.