mysql_real_escape_string() not working

[Nodral]

Hi All

 

I'm trying to create a 'safe' string from a user input to be written to a database, however when I use the mysql_real_escape_string function I just get an empty variable returned.  I've even tried hard-coding the variable and it just gets wiped.

 

<?php
session_start();
include_once("connect.php");
include_once("is_logged_in.php");
include_once("is_admin.php");

$USERID=$_SESSION['USERID'];
$new_question=$_POST['new_question'];
$dirty_questiontext=$_POST['questiontext'];
$dirty_new_text=$_POST['new_text'];
$new_id=$_POST['new_id'];
$type=$_POST['type'];
$new_text=mysql_real_escape_string($dirty_new_text);
echo "this is the new stuff" . $new_text;


//get custom functions
include_once("functions.php");



//check data tables exist and create if not
include("table_check.php");




// add any new questiontext

if(isset($questiontext)){
$sql="INSERT INTO ls_questions (text, category) VALUES ('$questiontext', '$type')";
mysql_query($sql) or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $sql . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());
unset($new_question);
unset($questiontext);
unset($new_text);
unset($new_id);
}

//any questions edited?
/*if(isset($new_text)){
$sql='UPDATE ls_questions SET text = "' . $new_text . '",category= "' . $type . '" WHERE id = ' . $new_id;
mysql_query($sql) or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $sql . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());
unset($new_question);
unset($questiontext);
unset($new_text);
unset($new_id);
}
*/



//is user an admin and shall we add / edit question text?
include("header.php");
echo"</head><body>";
if ($_SESSION['role']=="admin"){
//has user selected to add a question?
if(isset($new_question)){
	if($new_question=="create"){
	?>
	<p>Add text of new question</p>
	<form method="POST" action="">
	<input type="text" name="questiontext" size="100">
	<select name="type">
		<option value="Activist">Activist</option>
		<option value="Reflector">Reflector</option>
		<option value="Theorist">Theorist</option>
		<option value="Pragmatist">Pragmatist</option>
		</select>
	<input type="submit">
	</form>
	<?php
}else{
		$text=get_question_text($new_question, "ls_questions");
		echo"<p>Previous question text is $text</p><p>Please enter new text in box below</p>";
		?>
		<form method="POST" action="">
		<input type="text" name="new_text" size="100" value="<?php echo $text; ?>">
		<input type="hidden" name="new_id" value="<?php echo $new_question; ?>">
		<select name="type">
		<option value="Activist">Activist</option>
		<option value="Reflector">Reflector</option>
		<option value="Theorist">Theorist</option>
		<option value="Pragmatist">Pragmatist</option>
		</select>
		<input type="submit">
		<?
	}
}

echo"<p>Below is a list of current questions, either select one to edit or add a new one</p>";

//get all current questions and put in array with id numbers as key

$sql="SELECT id, text, category FROM ls_questions";
$sql=mysql_query($sql);
$count=mysql_num_rows($sql);
while($row=mysql_fetch_array($sql)){
	$all_questions[$row['id']][$row['category']]=$row['text'];
}
//echo "<H1>count - $count</H1>";

//echo out existing questions as list with a radio button to edit
if($count!=0){
?>
<table border="2">
<form method="POST" action="">
<tr><td>Question Text</td><td>Type</td><td>Edit?</td><tr>
<tr><td colspan="2">Add new question</td><td><input type="radio" name="new_question" value="create"></td></tr>


<?php
	while(list($id, $array)=each($all_questions)){
	while(list($category, $text)=each($array)){
	echo'<tr><td>' . $text . '</td><td>' . $category . '</td><td><input type="radio" name="new_question" value="' . $id . '"</td></tr>';
}
}
?>
<tr><td colspan="3" align="center"><input type="submit"></td></tr>
<form>
</table>
<?php
}else{
	?>
	<p>Add text of first question</p>
	<form method="POST" action="">
	<input type="text" name="questiontext" size="100">
	<select name="type">
		<option value="Activist">Activist</option>
		<option value="Reflector">Reflector</option>
		<option value="Theorist">Theorist</option>
		<option value="Pragmatist">Pragmatist</option>
		</select>
	<input type="submit">
	</form>
	<?php
	}

}else{
echo "fail";
}

?>
</body>

 

Any ideas?

[fugix]

1. Are you sure that you are properly connected to your database?

 

2. Did you check to make sure that $_POST['new_text'] is actually passing data properly

[QuickOldCar]

update this line

if(isset($questiontext)){

 

if(isset($_POST['questiontext'])){

 

or even like

if(!isset($_POST['questiontext'])){
echo "post question text not set";
} else {
//execture query here
}

 

Checking for empty values may be nice as well

if(isset($_POST['questiontext']) && $_POST['questiontext'] != ""){
//execute the query
} else {
echo "post question text not set";
}

 

Just some examples of checking, there are more and even different ways

 

Nowhere in the code do I see $questiontext

EDIT:

Lemme rephrase

Nowhere do I see $questiontext assigned to a $_POST

I see

$dirty_questiontext=$_POST['questiontext'];

instead of most likely you meant

$questiontext=$_POST['questiontext'];

 

[Nodral]

Hi Guys

 

Thanks for the help, but $_POST['questiontext'] is set by the form around line 126.  I know the database is connected as the form populates information from there prior to submission. 

 

The problem is not with the variable $questiontext, this will be added to the code later once I can find out why the escape function will not work with $dirty_new_text and $new_text.

 

As mentioned I have manually set a value to $ new_text, and it works until I pass it to the mysql_real_escape_string function.

 

Any more ideas?

[Drummin]

The mysql_real_escape_string is working just fine (after I added my DB connection), though the logic of your forms might be misleading.  Add print post to your page to make sure the form names you think are being sent are actually the one's being sent, in other words looking for "new_text" and not "questiontext" or "new_question".  It worked fine for me once I figured out which form to use.

print_r($_POST)

;

[fugix]

if it was an error with the actual mysql_real_escape_string() function, when you echoed the string it would return false on error, not empty. this makes me believe that data is not actually being passed to the variable before using the function on it.

[Nodral]

I've sorted this problem

 

The issue was there was a ` rather than a ' .  For some reason this was not being escaped.

[fugix]

interesting, thank you for telling us what was causing the error.

 

Edit: please mark this thread as solved in the lower left hand of the page.

[Pikachu2000]

I've sorted this problem

 

The issue was there was a ` rather than a ' .  For some reason this was not being escaped.

 

mysql_real_escape_string isn't supposed to escape backticks . . .

[fugix]

I've sorted this problem

 

The issue was there was a ` rather than a ' .  For some reason this was not being escaped.

 

mysql_real_escape_string isn't supposed to escape backticks . . .

thats what I thought too, i believe that the only special chars that mysql_real_escape_string() cannot escape are the % and _ since they can be used as wildcards. I'm thinking that maybe he placed a ` in one of his post indices instaed of a ' ??