Moved servers, "mysql_real_escape_string( $_GET['ID']);" no longer works...

[dlebowski]

I moved my application to a new server with a new install of PHP.  Anyway, some of my "mysql_real_escape_string( $_GET['ID'])" requests work, some do not.  Does anyone know why this would be?  It works fine on my old server.  Thank you.

 

Ryan

[PFMaBiSmAd]

The only thing that would affect mysql_real_escape_string, would be if there isn't a connection to the database server at the time you called the function. You would be be getting empty/null values out. You would also be getting php warning messages, because php would attempt to create a database connection when there isn't already one, using default values for the host/user/password, which generally fails.

 

It's more likely your data isn't what you expect. What exact symptoms or errors are you getting that would help pin down the problem?

[dlebowski]

This is literally all that is on this page:

 

My URL:  myurl.com/editlot.php?LotID=100121361

 

<?
print $LotID=mysql_real_escape_string( $_GET['LotID']);

?>

 

It won't output anything to the screen.

 

 

[PFMaBiSmAd]

What does the 'view source' of the page in your browser show? Do you have php's error_reporting set to E_ALL and either display_errors ON (errors would be displyed) or log_errors ON (errors would be written to the error log file)?

 

You do need to make a connection to the database server somehow, before calling mysql_real_escape_string. The condition where a connection would automatically be made, would require that you either have a pre-pended file that creates a connection or that your php.ini has correct default mysql connection details set up in it.

[dlebowski]

View source displays nothing.  What is wierd, is that it works on the other server. 

 

I took your advice, and removed the "mysql_real_escape_string" and it works now. So, that is definitely the problem.  So, is there a setting in my PHP config that is affecting this on my new server?

 

Thank you for your quick replies.

 

Ryan

[PFMaBiSmAd]

It appears that you have values set somewhere for the mysql.default_host, mysql.default_user, mysql.default_password settings on the server where this 'works'. This can either be in the master php.ini, a local php.ini (when php is running as a cgi application), or in a .htaccess file (when php is running as an Apache Module.)

 

Does your code that accesses a database have mysql_connect() and mysql_select_db() statements in it?

 

The reason I ask, is A) you must know if and where you are making a connection to the database server, B) Because, if you are not making an expected connection to the correct database server, you could be using a character set for the mysql_real_escape_string statement that DOES NOT prevent sql injection on your actual database.

[dlebowski]

This is how I connect:

 

include("dbinfo.inc.php");
mysql_connect($myserver,$uname,$pword);
@mysql_select_db($database) or die( "Unable to select database");

[PFMaBiSmAd]

On the page that use the $_GET['LotID'] value, do you have that connection code before the mysql_real_escape_string function is called?

[dlebowski]

If i do that, it WILL work.  I am just concerned because I didn't want to have to modify all these scripts to make sure it works.  I was hoping I could figure out what is different on this server as oppose to my old one.

 

Ryan

[PFMaBiSmAd]

Someone has already posted how a connection can be made without your code deliberately making one -

 

The condition where a connection would automatically be made, would require that you either have a pre-pended file that creates a connection or that your php.ini has correct default mysql connection details set up in it.

 

It appears that you have values set somewhere for the mysql.default_host, mysql.default_user, mysql.default_password settings on the server where this 'works'. This can either be in the master php.ini, a local php.ini (when php is running as a cgi application), or in a .htaccess file (when php is running as an Apache Module.)

[dlebowski]

I understand what you posted, I'm looking through the php.ini files and comparing them and there is nothing in the MYSQL section that is different.  Anyway, I will see what else I can come up with.  Thank you.

 

Ryan