Jump to content

mysql_real_escape_string() not working


Nodral

Recommended Posts

Hi All

 

I'm trying to create a 'safe' string from a user input to be written to a database, however when I use the mysql_real_escape_string function I just get an empty variable returned.  I've even tried hard-coding the variable and it just gets wiped.

 

<?php
session_start();
include_once("connect.php");
include_once("is_logged_in.php");
include_once("is_admin.php");

$USERID=$_SESSION['USERID'];
$new_question=$_POST['new_question'];
$dirty_questiontext=$_POST['questiontext'];
$dirty_new_text=$_POST['new_text'];
$new_id=$_POST['new_id'];
$type=$_POST['type'];
$new_text=mysql_real_escape_string($dirty_new_text);
echo "this is the new stuff" . $new_text;


//get custom functions
include_once("functions.php");



//check data tables exist and create if not
include("table_check.php");




// add any new questiontext

if(isset($questiontext)){
$sql="INSERT INTO ls_questions (text, category) VALUES ('$questiontext', '$type')";
mysql_query($sql) or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $sql . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());
unset($new_question);
unset($questiontext);
unset($new_text);
unset($new_id);
}

//any questions edited?
/*if(isset($new_text)){
$sql='UPDATE ls_questions SET text = "' . $new_text . '",category= "' . $type . '" WHERE id = ' . $new_id;
mysql_query($sql) or die("<b>A fatal MySQL error occured</b>.\n<br />Query: " . $sql . "<br />\nError: (" . mysql_errno() . ") " . mysql_error());
unset($new_question);
unset($questiontext);
unset($new_text);
unset($new_id);
}
*/



//is user an admin and shall we add / edit question text?
include("header.php");
echo"</head><body>";
if ($_SESSION['role']=="admin"){
//has user selected to add a question?
if(isset($new_question)){
	if($new_question=="create"){
	?>
	<p>Add text of new question</p>
	<form method="POST" action="">
	<input type="text" name="questiontext" size="100">
	<select name="type">
		<option value="Activist">Activist</option>
		<option value="Reflector">Reflector</option>
		<option value="Theorist">Theorist</option>
		<option value="Pragmatist">Pragmatist</option>
		</select>
	<input type="submit">
	</form>
	<?php
}else{
		$text=get_question_text($new_question, "ls_questions");
		echo"<p>Previous question text is $text</p><p>Please enter new text in box below</p>";
		?>
		<form method="POST" action="">
		<input type="text" name="new_text" size="100" value="<?php echo $text; ?>">
		<input type="hidden" name="new_id" value="<?php echo $new_question; ?>">
		<select name="type">
		<option value="Activist">Activist</option>
		<option value="Reflector">Reflector</option>
		<option value="Theorist">Theorist</option>
		<option value="Pragmatist">Pragmatist</option>
		</select>
		<input type="submit">
		<?
	}
}

echo"<p>Below is a list of current questions, either select one to edit or add a new one</p>";

//get all current questions and put in array with id numbers as key

$sql="SELECT id, text, category FROM ls_questions";
$sql=mysql_query($sql);
$count=mysql_num_rows($sql);
while($row=mysql_fetch_array($sql)){
	$all_questions[$row['id']][$row['category']]=$row['text'];
}
//echo "<H1>count - $count</H1>";

//echo out existing questions as list with a radio button to edit
if($count!=0){
?>
<table border="2">
<form method="POST" action="">
<tr><td>Question Text</td><td>Type</td><td>Edit?</td><tr>
<tr><td colspan="2">Add new question</td><td><input type="radio" name="new_question" value="create"></td></tr>


<?php
	while(list($id, $array)=each($all_questions)){
	while(list($category, $text)=each($array)){
	echo'<tr><td>' . $text . '</td><td>' . $category . '</td><td><input type="radio" name="new_question" value="' . $id . '"</td></tr>';
}
}
?>
<tr><td colspan="3" align="center"><input type="submit"></td></tr>
<form>
</table>
<?php
}else{
	?>
	<p>Add text of first question</p>
	<form method="POST" action="">
	<input type="text" name="questiontext" size="100">
	<select name="type">
		<option value="Activist">Activist</option>
		<option value="Reflector">Reflector</option>
		<option value="Theorist">Theorist</option>
		<option value="Pragmatist">Pragmatist</option>
		</select>
	<input type="submit">
	</form>
	<?php
	}

}else{
echo "fail";
}

?>
</body>

 

Any ideas?

Link to comment
Share on other sites

update this line

if(isset($questiontext)){

 

if(isset($_POST['questiontext'])){

 

or even like

if(!isset($_POST['questiontext'])){
echo "post question text not set";
} else {
//execture query here
}

 

Checking for empty values may be nice as well

if(isset($_POST['questiontext']) && $_POST['questiontext'] != ""){
//execute the query
} else {
echo "post question text not set";
}

 

Just some examples of checking, there are more and even different ways

 

Nowhere in the code do I see $questiontext

EDIT:

Lemme rephrase

Nowhere do I see $questiontext assigned to a $_POST

I see

$dirty_questiontext=$_POST['questiontext'];

instead of most likely you meant

$questiontext=$_POST['questiontext'];

 

Link to comment
Share on other sites

Hi Guys

 

Thanks for the help, but $_POST['questiontext'] is set by the form around line 126.  I know the database is connected as the form populates information from there prior to submission. 

 

The problem is not with the variable $questiontext, this will be added to the code later once I can find out why the escape function will not work with $dirty_new_text and $new_text.

 

As mentioned I have manually set a value to $ new_text, and it works until I pass it to the mysql_real_escape_string function.

 

Any more ideas?

Link to comment
Share on other sites

The mysql_real_escape_string is working just fine (after I added my DB connection), though the logic of your forms might be misleading.  Add print post to your page to make sure the form names you think are being sent are actually the one's being sent, in other words looking for "new_text" and not "questiontext" or "new_question".  It worked fine for me once I figured out which form to use.

print_r($_POST)

;

Link to comment
Share on other sites

if it was an error with the actual mysql_real_escape_string() function, when you echoed the string it would return false on error, not empty. this makes me believe that data is not actually being passed to the variable before using the function on it.

Link to comment
Share on other sites

I've sorted this problem

 

The issue was there was a ` rather than a ' .  For some reason this was not being escaped.

 

mysql_real_escape_string isn't supposed to escape backticks . . .

thats what I thought too, i believe that the only special chars that mysql_real_escape_string() cannot escape are the % and _ since they can be used as wildcards. I'm thinking that maybe he placed a ` in one of his post indices instaed of a ' ??

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.