RON_ron Posted November 26, 2010 Share Posted November 26, 2010 I just red few tutorials about mysql_real_escape_string. Could someone check if this is correct? <?php $conn = mysql_connect("localhost","myusername","thepassword1"); mysql_select_db("mydataB", $db); $result = mysql_query("SELECT * FROM applicant WHERE username = '$username'"); if (mysql_num_rows ($result) > 0){ $register = "&err=Not Available."; echo($register); } else { $username = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $name = mysql_real_escape_string($_POST['name'], $db); $email = mysql_real_escape_string($_POST['email'], $db); $id = mysql_real_escape_string($_POST['id'], $db); mysql_query("INSERT INTO applicant (username, password, name, email, id) VALUES ('$username', '$password', '$name', '$email', '$id')"); $register = "Successful."; echo($register); } ?> Quote Link to comment Share on other sites More sharing options...
MrXHellboy Posted November 26, 2010 Share Posted November 26, 2010 For the } else { // real escapre string } part it is ok. But after the mysql_select_db(), you have $username not escaped. <?php $conn = mysql_connect("localhost","myusername","thepassword1"); mysql_select_db("mydataB", $db); // Escape special characters $username = mysql_real_escape_string($_POST['username'], $db); // Then use the escaped $username $result = mysql_query("SELECT * FROM applicant WHERE username = '$username'"); if (mysql_num_rows ($result) > 0){ $register = "&err=Not Available."; echo($register); } else { $username = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $name = mysql_real_escape_string($_POST['name'], $db); $email = mysql_real_escape_string($_POST['email'], $db); $id = mysql_real_escape_string($_POST['id'], $db); mysql_query("INSERT INTO applicant (username, password, name, email, id) VALUES ('$username', '$password', '$name', '$email', '$id')"); $register = "Successful."; echo($register); } ?> Besides that, the link identiefier would be $conn here, i dont know why you are using $db as link ID. Quote Link to comment Share on other sites More sharing options...
RON_ron Posted November 26, 2010 Author Share Posted November 26, 2010 Thanks MXH. Quote Link to comment Share on other sites More sharing options...
RON_ron Posted November 26, 2010 Author Share Posted November 26, 2010 I'm getting some errors. Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/.../test.php on line 3 Warning: mysql_real_escape_string() expects parameter 2 to be resource, null given in /home/.../test.php on line 5 Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/.../test.php on line 8 Quote Link to comment Share on other sites More sharing options...
MrXHellboy Posted November 26, 2010 Share Posted November 26, 2010 <?php $conn = mysql_connect("localhost","myusername","thepassword1"); mysql_select_db("mydataB", $conn); // Escape special characters $username = mysql_real_escape_string($_POST['username'], $conn); // Then use the escaped $username $result = mysql_query("SELECT * FROM applicant WHERE username = '$username'"); if (mysql_num_rows($result) > 0){ $register = "&err=Not Available."; echo($register); } else { $username = mysql_real_escape_string($_POST['username'], $conn); $password = mysql_real_escape_string($_POST['password'], $conn); $name = mysql_real_escape_string($_POST['name'], $conn); $email = mysql_real_escape_string($_POST['email'], $conn); $id = mysql_real_escape_string($_POST['id'], $conn); mysql_query("INSERT INTO applicant (username, password, name, email, id) VALUES ('$username', '$password', '$name', '$email', '$id')"); $register = "Successful."; echo($register); } ?> Quote Link to comment Share on other sites More sharing options...
RON_ron Posted November 26, 2010 Author Share Posted November 26, 2010 The code updates the db when mysql_real_escape_string is not present. When mysql_real_escape_string is included it always echo &err=Not Available. Any idea what may the reason be? Quote Link to comment Share on other sites More sharing options...
intellix Posted November 26, 2010 Share Posted November 26, 2010 If you print out the values before and after using mysql_real_escape_string() on the $username, what are the values? Quote Link to comment Share on other sites More sharing options...
MrXHellboy Posted November 26, 2010 Share Posted November 26, 2010 You lost me.... Whats your problem exactly ? Quote Link to comment Share on other sites More sharing options...
RON_ron Posted November 26, 2010 Author Share Posted November 26, 2010 It actually doesn't update my db. intellix print "$username "; $username = mysql_real_escape_string($_POST['username'], $conn); $result = mysql_query("SELECT * FROM applicant WHERE username = '$username'"); print "$username "; before : shows the username after: nothing Quote Link to comment Share on other sites More sharing options...
MrXHellboy Posted November 26, 2010 Share Posted November 26, 2010 Thats because you use a SELECT statement. SELECT statement are used for retrieving data from the DB. INSERT INTO table (field1, field2) VALUES ('$var1','$var2') Quote Link to comment Share on other sites More sharing options...
RON_ron Posted November 26, 2010 Author Share Posted November 26, 2010 <?php $conn = mysql_connect("localhost","myusername","thepassword1"); mysql_select_db("mydataB", $conn); $username = mysql_real_escape_string($_POST['username'], $conn); $result = mysql_query("SELECT * FROM applicant WHERE username = '$username'"); if (mysql_num_rows($result) > 0){ $register = "&err=Not Available."; echo($register); } else { $username = mysql_real_escape_string($_POST['username'], $conn); $password = mysql_real_escape_string($_POST['password'], $conn); $name = mysql_real_escape_string($_POST['name'], $conn); $email = mysql_real_escape_string($_POST['email'], $conn); $id = mysql_real_escape_string($_POST['id'], $conn); mysql_query("INSERT INTO applicant (username, password, name, email, id) VALUES ('$username', '$password', '$name', '$email', '$id')"); $register = "Successful."; echo($register); } ?> Quote Link to comment Share on other sites More sharing options...
MrXHellboy Posted November 26, 2010 Share Posted November 26, 2010 Query is OK. Probably a record has been found, so this will be performed : $register = "&err=Not Available."; echo($register); Check your DB against your input. Quote Link to comment Share on other sites More sharing options...
RON_ron Posted November 26, 2010 Author Share Posted November 26, 2010 Thanks MXH Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.