mysql_real_escape_string

[RON_ron]

I just red few tutorials about  mysql_real_escape_string. Could someone check if this is correct?

 

<?php
$conn = mysql_connect("localhost","myusername","thepassword1");
mysql_select_db("mydataB", $db);

$result = mysql_query("SELECT * FROM applicant WHERE username = '$username'");

if (mysql_num_rows ($result) > 0){
$register = "&err=Not Available.";
echo($register);
} else {
$username = mysql_real_escape_string($_POST['username'], $db);
$password = mysql_real_escape_string($_POST['password'], $db);
$name = mysql_real_escape_string($_POST['name'], $db);
$email = mysql_real_escape_string($_POST['email'], $db);
$id = mysql_real_escape_string($_POST['id'], $db);

mysql_query("INSERT INTO applicant (username, password, name, email, id) VALUES ('$username', '$password', '$name', '$email', '$id')");
$register = "Successful.";
echo($register);
}
?>

[MrXHellboy]

For the } else { // real escapre string } part it is ok.

 

But after the mysql_select_db(), you have $username not escaped.

<?php
$conn = mysql_connect("localhost","myusername","thepassword1");
mysql_select_db("mydataB", $db);

// Escape special characters
$username = mysql_real_escape_string($_POST['username'], $db);
// Then use the escaped $username
$result = mysql_query("SELECT * FROM applicant WHERE username = '$username'");

if (mysql_num_rows ($result) > 0){
$register = "&err=Not Available.";
echo($register);
} else {
$username = mysql_real_escape_string($_POST['username'], $db);
$password = mysql_real_escape_string($_POST['password'], $db);
$name = mysql_real_escape_string($_POST['name'], $db);
$email = mysql_real_escape_string($_POST['email'], $db);
$id = mysql_real_escape_string($_POST['id'], $db);

mysql_query("INSERT INTO applicant (username, password, name, email, id) VALUES ('$username', '$password', '$name', '$email', '$id')");
$register = "Successful.";
echo($register);
}
?>

 

Besides that, the link identiefier would be $conn here, i dont know why you are using $db as link ID.

[RON_ron]

Thanks MXH. 

[RON_ron]

I'm getting some errors.

 

Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in /home/.../test.php on line 3

 

Warning: mysql_real_escape_string() expects parameter 2 to be resource, null given in /home/.../test.php on line 5

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/.../test.php on line 8

 

[MrXHellboy]

<?php
$conn = mysql_connect("localhost","myusername","thepassword1");
mysql_select_db("mydataB", $conn);

// Escape special characters
$username = mysql_real_escape_string($_POST['username'], $conn);
// Then use the escaped $username
$result = mysql_query("SELECT * FROM applicant WHERE username = '$username'");

if (mysql_num_rows($result) > 0){
$register = "&err=Not Available.";
echo($register);
} else {
$username = mysql_real_escape_string($_POST['username'], $conn);
$password = mysql_real_escape_string($_POST['password'], $conn);
$name = mysql_real_escape_string($_POST['name'], $conn);
$email = mysql_real_escape_string($_POST['email'], $conn);
$id = mysql_real_escape_string($_POST['id'], $conn);

mysql_query("INSERT INTO applicant (username, password, name, email, id) VALUES ('$username', '$password', '$name', '$email', '$id')");
$register = "Successful.";
echo($register);
}
?>

[RON_ron]

The code updates the db when mysql_real_escape_string is not present.

 

When mysql_real_escape_string is included it always echo &err=Not Available.

 

Any idea what may the reason be?

 

 

[intellix]

If you print out the values before and after using mysql_real_escape_string() on the $username, what are the values?

[MrXHellboy]

You lost me.... Whats your problem exactly ?

[RON_ron]

It actually doesn't update my db.

 

intellix

print "$username ";
$username = mysql_real_escape_string($_POST['username'], $conn);
$result = mysql_query("SELECT * FROM applicant WHERE username = '$username'");
print "$username ";

 

before : shows the username

after: nothing

[MrXHellboy]

Thats because you use a SELECT statement. SELECT statement are used for retrieving data from the DB.

 

INSERT INTO table (field1, field2) VALUES ('$var1','$var2')

[RON_ron]

<?php

$conn = mysql_connect("localhost","myusername","thepassword1");

mysql_select_db("mydataB", $conn);

 

$username = mysql_real_escape_string($_POST['username'], $conn);

$result = mysql_query("SELECT * FROM applicant WHERE username = '$username'");

 

if (mysql_num_rows($result) > 0){

$register = "&err=Not Available.";

echo($register);

} else {

$username = mysql_real_escape_string($_POST['username'], $conn);

$password = mysql_real_escape_string($_POST['password'], $conn);

$name = mysql_real_escape_string($_POST['name'], $conn);

$email = mysql_real_escape_string($_POST['email'], $conn);

$id = mysql_real_escape_string($_POST['id'], $conn);

 

mysql_query("INSERT INTO applicant (username, password, name, email, id) VALUES ('$username', '$password', '$name', '$email', '$id')");

$register = "Successful.";

echo($register);

}

?>

[MrXHellboy]

Query is OK.

 

Probably a record has been found, so this will be performed :

$register = "&err=Not Available.";
echo($register);

 

Check your DB against your input.

[RON_ron]

Thanks MXH