Jump to content

mysql_real_escape_string not going into database


suttercain

Recommended Posts

Hi guys,

 

I am trying to INSERT data into MySQL and can when I don't use mysql_real_escape_string:

if(isset($_POST['submit'])){
$first_name = $_SESSION['fname'];
INSERT HERE //works

 

Now when I try to do this:

if(isset($_POST['submit'])){
$first_name = $_SESSION['fname'];
$first_name = mysql_real_escape_string($first_name);
INSERT HERE //doesn't work

 

Anyone know why it's not working? I ran print_r to make sure the SESSION array contained the form information and it does. When I remove mysql_real_escape_string from the variables it goes into the database but as soon as I add it it just enters blank fields.

 

Thanks

Link to comment
Share on other sites

Hi guys,

 

Yeah I am running PHP 5.0 and I did try to catch the error:

 

<?php
print_r($_SESSION);
//If Everything Appears to be Okay, the User Sends to the Database by clicking submit
if(isset($_POST['submit'])){
	$first_name = $_SESSION['fname'];//THIS ONE IS ENTERED the rest ARE NOT
	$last_name = mysql_real_escape_string($_SESSION['lname']);
	$street = mysql_real_escape_string($_SESSION['street']);
	$city = mysql_real_escape_string($_SESSION['city']);
	$state= mysql_real_escape_string($_SESSION['state']);
	$zip_code = mysql_real_escape_string($_SESSION['zip']);
	$phone = mysql_real_escape_string($_SESSION['phone']);
	$vehicle_year = mysql_real_escape_string($_SESSION['year']);
	$vehicle_make = mysql_real_escape_string($_SESSION['make']);
	$vehicle_model = mysql_real_escape_string($_SESSION['model']);
	$vin = mysql_real_escape_string($_SESSION['vin']);
	$phone = mysql_real_escape_string($_SESSION['phone']);
	$letter_requested = date('l F jS, Y');
	$time = date('g:i A');
	$next_month = date('l F jS, Y', strtotime("+28 day", time()));
	echo $first_name;
	require ('get_connected.php');
	mysql_query ("INSERT INTO canada (first_name, last_name, street, city, state, zip_code, phone, vehicle_year, vehicle_make, 	  	    vehicle_model, vin, letter_requested, time)  VALUES ('$first_name', '$last_name', '$street', '$city', '$state', '$zip_code', 	 	  	 	 			        '$phone','$vehicle_year', '$vehicle_make', '$vehicle_model', '$vin', '$letter_requested', '$time')") or die('Error In Query: '.mysql_error());

		echo "Thank You, $first_name $last_name.<br>
			  Your information was submitted on $date. If we have any questions we will contact you at $phone.<br>
			  If you do not recieve your letter by $next_month, please call us at 1-800-242-4450.";

	} else {
		echo "There was an error submitting your information. Please try again later or call us at 1-800-333-3333.";
		}
?>

 

 

Any other ideas?

 

Link to comment
Share on other sites

Make sure you have a mysql_connect before you use mysql_real_escape_string.

 

If you do, try doing a var dump before and after. Make sure it's actually returning something.

 

$first_name = $_SESSION['fname'];

var_dump($first_name);

$first_name = mysql_real_escape_string($first_name);

var_dump($first_name);

Link to comment
Share on other sites

Hi Frost, no I am storing the variables in sessions, again this works :

$first_name = $_SESSION['fname'];

and I do have <?php session_start(); ?> before the headers are sent. I am going to try that var dump... but something is happening when I add the mysql_real_escape_strings. Before I add that I can echo that data that was stored in the session print_r($_SESSION) yields the correct data stored in the array, but if I add mysql_real_escape_strings to any of the variables it now "empties" the variable and no data can be echoed or inserted into the database.

Link to comment
Share on other sites

first try

 

$first_name = $_SESSION['fname'];
$first_name = mysql_real_escape_string($first_name);
print $first_name;

 

to see what it has become

 

then try

 

$first_name = $_SESSION['fname'];
$first_name_sanitised = mysql_real_escape_string($first_name);

 

then try

 

instead of assigning $first_name = mysql_real_escape_string($first_name); put the mysql_real_escape_string($first_name); directly into the SQL statment.

 

maybe by doing this

 

$first_name = mysql_real_escape_string($_SESSION['fname']);//THIS ONE IS ENTERED the rest ARE NOT

 

maybe you somhow do somthing to the session array and damage the rest maybe this is because you put the session[] directly into the escape string function try putting it in a var and then putting that var into the escape function.

Link to comment
Share on other sites

Make sure you have a mysql_connect before you use mysql_real_escape_string.

 

If you do, try doing a var dump before and after. Make sure it's actually returning something.

 

$first_name = $_SESSION['fname'];

var_dump($first_name);

$first_name = mysql_real_escape_string($first_name);

var_dump($first_name);

 

hay i didnt know about var dump good idea

Link to comment
Share on other sites

this worked

 

$first_name = $_SESSION['fname'];

$first_name_sanitised = mysql_real_escape_string($first_name);

echo $first_name_sanitised;

 

but in thoery (and other pages I have worked on) this should work:

$first_name = $_SESSION['fname'];

$first_name_sanitised = mysql_real_escape_string($first_name);

echo $first_name;

 

right?

 

Thanks for your help!

Link to comment
Share on other sites

so I tried :

 

$first_name = $_SESSION['fname'];
var_dump($first_name);
$first_name = mysql_real_escape_string($first_name);
var_dump($first_name);

 

and this is what I got:

string(7) "Shannon" bool(false)

 

Why is the string being converted to a boolean after I add the mysql_real_escape_string?

Link to comment
Share on other sites

Notes

 

    Note: A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used.

 

    Note: If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.

 

    Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks.

 

    Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.

 

You do have a database connection initiated don't you?

Link to comment
Share on other sites

Yes. I have

require ('get_connected.php');

 

I know it works because when I remove the mysql_real_escape_string all the data is placed into the database. But when I add mysql_real_escape_string around the variables it now appears to turn them into a boolean and a blank record is added.

Link to comment
Share on other sites

I should of looked at the code closer.

 

	require ('get_connected.php');
	mysql_query ("INSERT INTO canada (f

 

That is AFTER you used mysql_real_escape_string.

 

You need to require the get_connected.php BEFORE you call mysql_real_escape_string.

Link to comment
Share on other sites

Just a thought, is register_globals on?

 

i think as soon as you apply the = operator the variable no longer exists whith its previouse value, eg the memory space is redied for the variable after the =

 

as soon as you say = and the first assignment eg anything even a single char wipes the mem

Link to comment
Share on other sites

so I tried :

 

$first_name = $_SESSION['fname'];
var_dump($first_name);
$first_name = mysql_real_escape_string($first_name);
var_dump($first_name);

 

and this is what I got:

string(7) "Shannon" bool(false)

 

Why is the string being converted to a boolean after I add the mysql_real_escape_string?

 

the mysql escape returns a bool on success or falure

Link to comment
Share on other sites

you are trying to insert string(7) "Shannon" bool(false) into a feild in the DB that is not INT so it is rejected most probably

 

by saying

 

$first_name = mysql_real_escape_string($first_name);

 

you are making

 

$first_name = 1 or 0, $firstname

 

this is exactly how ur variable looks

 

"fname" 0

 

this can not be inserted in to a text or varchar because it is of type INT but you may recive no error because it is mixed

 

BUT IM SURE I USE IT LIKE THIS TOO let me check OK

	$password = crypt(mysql_real_escape_string($_POST["password"]));

	$sql = "INSERT INTO users (userid, password, email, `group`) ".
	"VALUES ('".
	mysql_real_escape_string($_POST["userid"])."', '".
	$password."', "."'".
	mysql_real_escape_string($_POST["email"])."', '".
	mysql_real_escape_string($_POST["group"])."'".
	");";

a page like this is highly supceptable to XSS so be sure to check where the posts came from

Link to comment
Share on other sites

I should of looked at the code closer.

 

	require ('get_connected.php');
	mysql_query ("INSERT INTO canada (f

 

That is AFTER you used mysql_real_escape_string.

 

You need to require the get_connected.php BEFORE you call mysql_real_escape_string.

 

That is the problem nadeemshafi9. No worries it is solved with that exert.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.