Jump to content

Recommended Posts

Morning All,

 

Should be a quick one for the seasoned veterans! I'm learning the in's and out's of sanitizing my variables for input into my database (mysql).

 

The following is my code;

 

$Username = mysql_real_escape_string($_POST['username']);
$PWord = mysql_real_escape_string($_POST['pword']);
$Email = mysql_real_escape_string($_POST['email']);
$Fullname = mysql_real_escape_string($_POST['fullname']);
$Address_1 = mysql_real_escape_string($_POST['address_1']);
$Address_2 = mysql_real_escape_string($_POST['address_2']);
$City = mysql_real_escape_string($_POST['city']);
$Zip = mysql_real_escape_string($_POST['zip']);
$Country = mysql_real_escape_string($_POST['country']);

 

The following is my output;

 

Error executing INSERT statement - INSERT INTO tblUser(User_Name, Full_Name, Email, Address_1, Address_2, City, Zip, Country, PWord)VALUES ('','','','','','','','','')

 

Any ideas?

 

Also; is mysql_real_escape_string valid for use on all types of input from the input box?

The code you posted looks correct, but mysql_real_escape_string() is not "clearing" the values.  Either the post vars are empty or there is something wrong in the query.

 

Hmmm... close to verbatim  ;D

I thought as much..... I retried the entry page again and got the same output. Will revert to original without the mysql_real_escape_string and retest. Shouldn't have been a coding change but you never know...

I'm going to guess you don't have a connection to the mysql server at the time you use mysql_real_escape_string() on the values.

 

No, I'm setting the variables first with this code snippet and then opening the connection. Should this be done before using mysql commands?

 

 

Others: Have reverted and the code works fine, inserts the new user without issue. Thoughts?

 

P.S I'm using mysqli_connect as the connection string command btw.

I'm going to guess you don't have a connection to the mysql server at the time you use mysql_real_escape_string() on the values.

If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If no connection is found or established, an E_WARNING level error is generated.

 

So, by no arguments that means that it attempts a connect with no username, password, etc.  which will most likely fail.

 

So Maq and I were both in error.  :'(

I'm going to guess you don't have a connection to the mysql server at the time you use mysql_real_escape_string() on the values.

If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If no connection is found or established, an E_WARNING level error is generated.

 

So, by no arguments that means that it attempts a connect with no username, password, etc.  which will most likely fail.

 

OK; here is the revised code with the connection string the first line.

$dbc = mysqli_connect('localhost','dbuser','dbpassword','dbname') or die('Error connecting to dbGeneral');

$Username = mysql_real_escape_string($_POST['username']);
$PWord = mysql_real_escape_string($_POST['pword']);
$Email = mysql_real_escape_string($_POST['email']);
$Fullname = mysql_real_escape_string($_POST['fullname']);
$Address_1 = mysql_real_escape_string($_POST['address_1']);
$Address_2 = mysql_real_escape_string($_POST['address_2']);
$City = mysql_real_escape_string($_POST['city']);
$Zip = mysql_real_escape_string($_POST['zip']);
$Country = mysql_real_escape_string($_POST['country']);

$query = "INSERT INTO tableUserNames(User_Name, Full_Name, Email, Address_1, Address_2, City, Zip, Country, PWord)" .
  "VALUES ('$Username','$Fullname','$Email','$Address_1','$Address_2','$City','$Zip','$Country','$PWord')";

mysqli_query($dbc, $query) or die('Error executing INSERT statement - ' . $query);

 

I'm not getting an error on the connection string; however, even in this scenario I'm getting empty values.

 

Error executing INSERT statement - INSERT INTO tblUser(User_Name, Full_Name, Email, Address_1, Address_2, City, Zip, Country, PWord)VALUES ('','','','','','','','','')

 

 

PHP Errors; Sorry only just threw this code in.

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 14

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 14

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 15

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 15

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 16

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 16

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 17

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 17

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 18

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 18

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 19

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 19

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 20

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 20

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 21

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 21

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'apache'@'localhost' (using password: NO) in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 22

 

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /var/www/vhosts/einterfaces.com.au/httpdocs/ListSite/useradd.php on line 22

LOL -

No, I'm setting the variables first with this code snippet and then opening the connection. Should this be done before using mysql commands?

 

P.S I'm using mysqli_connect as the connection string command btw.

 

^^^ Then why aren't you using mysqli_real_escape_string() (after you connect to the database server.)

 

You should be developing and debugging your code on a system with error_reporting set to E_ALL and display_errors set to ON so that php will report and display all the errors it finds. You will save a TON of time.

LOL -

No, I'm setting the variables first with this code snippet and then opening the connection. Should this be done before using mysql commands?

 

P.S I'm using mysqli_connect as the connection string command btw.

 

^^^ Then why aren't you using mysqli_real_escape_string() (after you connect to the database server.)

 

You should be developing and debugging your code on a system with error_reporting set to E_ALL and display_errors set to ON so that php will report and display all the errors it finds. You will save a TON of time.

 

Just switched it on. Thanks PFMaBiSmAd

Please close thread. Thank you all for your help.

 

mysqli_real_escape_string requires two variables; the connection variable, and the string variable.

 

Once corrected; the strings are parsed escaped.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.