real_escape_string question

[thefreebielife]

ive never used this before but did i set this up right?

<?php
if($_POST['task']=="addmcr")
{
$sql ="Insert into mcredit (dateCompOffer, email, status, username, offername)values ('"  . $_POST['dateOfferComp'] . "', '" . $_POST['email'] . "', 'Unread','". $_SESSION['username'] ."','" . $_POST['offername'] . "')";
mysql_real_escape_string($email),
if(mysql_query($sql)){
	echo "<center><FONT SIZE='2px' COLOR='#FF0000'><B>Manual Credit Request Submitted Successfully.</B></FONT></center>" ;
}else{
	echo mysql_error();
}
} php?>

 

obviously i didnt since its not working but whats wrong?

 

from where this comes from:

<FORM NAME="f" METHOD=POST ACTION="main.php">
		  <INPUT TYPE="hidden" name="task" value="addmcr">

           <p> </p>
           <table width="450" border="0" align="center"  class="table" style="border: 1px dashed red; padding: 4px 4px 4px 4px; ">
<tr>
    <td colspan="2"><div align="center"><? 
if ($error == "firstname") { echo "<font color=red><center>Your First Name is Incorrect</center></font>"; }
if ($error == "address") { echo "<font color=red><center>Your Address is Incorrect</center></font>"; }
if ($error == "city") { echo "<font color=red><center>Your City is Incorrect</center></font>"; }
if ($error == "state") { echo "<font color=red><center>Your State is Incorrect</center></font>"; }
if ($error == "zip") { echo "<font color=red><center>Your Zip Code is Incorrect</center></font>"; }
if ($error == "Email") { echo "<font color=red><center>Your Email is Incorrect</center></font>"; }
if ($error == "doubleemail") {echo '<center><font color="#ff0000">This Email is already in use.  <br>Please Try Again'; }

?></div></td>
</tr>

<tr>
    <td colspan="2" style="border-bottom:1px dashed red "><div align="left"><strong>Manual Credit Request </strong></div></td>
</tr>
  <tr>
    <td width="400"> </td>
    <td width="320"> </td>
  </tr>
  <tr>
    <td align="right">Date <BR><FONT SIZE="1" COLOR=""><B>(YYYY-MM-DD)</B></FONT>: </td>
    <td><input name="dateOfferComp" type="text" size="50" value=""  /></td>
  </tr>
  <tr>
    <td height="26" align="right">Offer Name : </td>
    <td><input name="offername" type="text" size="50" value=""/></td>
  </tr>

  <tr>
    <td height="26" align="right" valign=top>Full Email with Headers: </td>
    <td><TEXTAREA NAME="email" ROWS="10" COLS="38"></TEXTAREA></td>
  </tr>

   <tr>
   <td> </td>
    <td >
      <div align="left">
        <input type="submit" name="Submit" value="Submit Manual Credit Request" class="button" />
        </div></td>
  </tr>
     <tr>
    <td colspan="2"></td>
  </tr>
</table>
</form>

[hitman6003]

Since you answered your own question, here is the correct way to use it:

 

http://us.php.net/manual/en/function.mysql-real-escape-string.php#id5312299

[per1os]

Here is some code cooked up by people on the forum, I would actually use this in place of mysql_real_escape_string

 

<?php
function myEscape($string) {
       return  get_magic_quotes_gpc()?addcslashes(stripslashes ($string), "\x00\n\are\\'\"\x1a" ):addcslashes($string, "\x00\n\are\\'\"\x1a" );
}

if($_POST['task']=="addmcr")
{
$sql ="Insert into mcredit (dateCompOffer, email, status, username, offername)values ('"  . myEscape($_POST['dateOfferComp']) . "', '" . myEscape($_POST['email']) . "', 'Unread','". $_SESSION['username'] ."','" . myEscape($_POST['offername']) . "')";

if(mysql_query($sql)){
	echo "<center><FONT SIZE='2px' COLOR='#FF0000'><B>Manual Credit Request Submitted Successfully.</B></FONT></center>" ;
}else{
	echo mysql_error();
}
} 
?>

 

That way you are sure it is not being double escaped and you do not need a DB connection to use it.