mysql_real_escape_string not going into database

[suttercain]

Hi guys,

 

I am trying to INSERT data into MySQL and can when I don't use mysql_real_escape_string:

if(isset($_POST['submit'])){
$first_name = $_SESSION['fname'];
INSERT HERE //works

 

Now when I try to do this:

if(isset($_POST['submit'])){
$first_name = $_SESSION['fname'];
$first_name = mysql_real_escape_string($first_name);
INSERT HERE //doesn't work

 

Anyone know why it's not working? I ran print_r to make sure the SESSION array contained the form information and it does. When I remove mysql_real_escape_string from the variables it goes into the database but as soon as I add it it just enters blank fields.

 

Thanks

[Caesar]

You running at least PHP 4.3.0?

[pocobueno1388]

Did you try catching the error?

 

<?php
$query = mysql_query($sql) or die(mysql_error());
?>

[suttercain]

Hi guys,

 

Yeah I am running PHP 5.0 and I did try to catch the error:

 

<?php
print_r($_SESSION);
//If Everything Appears to be Okay, the User Sends to the Database by clicking submit
if(isset($_POST['submit'])){
	$first_name = $_SESSION['fname'];//THIS ONE IS ENTERED the rest ARE NOT
	$last_name = mysql_real_escape_string($_SESSION['lname']);
	$street = mysql_real_escape_string($_SESSION['street']);
	$city = mysql_real_escape_string($_SESSION['city']);
	$state= mysql_real_escape_string($_SESSION['state']);
	$zip_code = mysql_real_escape_string($_SESSION['zip']);
	$phone = mysql_real_escape_string($_SESSION['phone']);
	$vehicle_year = mysql_real_escape_string($_SESSION['year']);
	$vehicle_make = mysql_real_escape_string($_SESSION['make']);
	$vehicle_model = mysql_real_escape_string($_SESSION['model']);
	$vin = mysql_real_escape_string($_SESSION['vin']);
	$phone = mysql_real_escape_string($_SESSION['phone']);
	$letter_requested = date('l F jS, Y');
	$time = date('g:i A');
	$next_month = date('l F jS, Y', strtotime("+28 day", time()));
	echo $first_name;
	require ('get_connected.php');
	mysql_query ("INSERT INTO canada (first_name, last_name, street, city, state, zip_code, phone, vehicle_year, vehicle_make, 	  	    vehicle_model, vin, letter_requested, time)  VALUES ('$first_name', '$last_name', '$street', '$city', '$state', '$zip_code', 	 	  	 	 			        '$phone','$vehicle_year', '$vehicle_make', '$vehicle_model', '$vin', '$letter_requested', '$time')") or die('Error In Query: '.mysql_error());

		echo "Thank You, $first_name $last_name.<br>
			  Your information was submitted on $date. If we have any questions we will contact you at $phone.<br>
			  If you do not recieve your letter by $next_month, please call us at 1-800-242-4450.";

	} else {
		echo "There was an error submitting your information. Please try again later or call us at 1-800-333-3333.";
		}
?>

 

 

Any other ideas?

 

[Hypnos]

Make sure you have a mysql_connect before you use mysql_real_escape_string.

 

If you do, try doing a var dump before and after. Make sure it's actually returning something.

 

$first_name = $_SESSION['fname'];

var_dump($first_name);

$first_name = mysql_real_escape_string($first_name);

var_dump($first_name);

[per1os]

Wouldn't it be $_POST instead of $_SESSION ???

[suttercain]

Hi Frost, no I am storing the variables in sessions, again this works :

$first_name = $_SESSION['fname'];

and I do have <?php session_start(); ?> before the headers are sent. I am going to try that var dump... but something is happening when I add the mysql_real_escape_strings. Before I add that I can echo that data that was stored in the session print_r($_SESSION) yields the correct data stored in the array, but if I add mysql_real_escape_strings to any of the variables it now "empties" the variable and no data can be echoed or inserted into the database.

[nadeemshafi9]

first try

 

$first_name = $_SESSION['fname'];
$first_name = mysql_real_escape_string($first_name);
print $first_name;

 

to see what it has become

 

then try

 

$first_name = $_SESSION['fname'];
$first_name_sanitised = mysql_real_escape_string($first_name);

 

then try

 

instead of assigning $first_name = mysql_real_escape_string($first_name); put the mysql_real_escape_string($first_name); directly into the SQL statment.

 

maybe by doing this

 

$first_name = mysql_real_escape_string($_SESSION['fname']);//THIS ONE IS ENTERED the rest ARE NOT

 

maybe you somhow do somthing to the session array and damage the rest maybe this is because you put the session[] directly into the escape string function try putting it in a var and then putting that var into the escape function.

[nadeemshafi9]

Make sure you have a mysql_connect before you use mysql_real_escape_string.

 

If you do, try doing a var dump before and after. Make sure it's actually returning something.

 

$first_name = $_SESSION['fname'];

var_dump($first_name);

$first_name = mysql_real_escape_string($first_name);

var_dump($first_name);

 

hay i didnt know about var dump good idea

[suttercain]

this worked

 

$first_name = $_SESSION['fname'];

$first_name_sanitised = mysql_real_escape_string($first_name);

echo $first_name_sanitised;

 

but in thoery (and other pages I have worked on) this should work:

$first_name = $_SESSION['fname'];

$first_name_sanitised = mysql_real_escape_string($first_name);

echo $first_name;

 

right?

 

Thanks for your help!

[pocobueno1388]

Don't forget to solve the topic

 

EDIT: Or not, sorry.

[per1os]

Just a thought, is register_globals on?

[suttercain]

so I tried :

 

$first_name = $_SESSION['fname'];
var_dump($first_name);
$first_name = mysql_real_escape_string($first_name);
var_dump($first_name);

 

and this is what I got:

string(7) "Shannon" bool(false)

 

Why is the string being converted to a boolean after I add the mysql_real_escape_string?

[suttercain]

the register_globals are off

[per1os]

Notes

 

    Note: A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used.

 

    Note: If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice.

 

    Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks.

 

    Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.

 

You do have a database connection initiated don't you?

[suttercain]

Yes. I have

require ('get_connected.php');

 

I know it works because when I remove the mysql_real_escape_string all the data is placed into the database. But when I add mysql_real_escape_string around the variables it now appears to turn them into a boolean and a blank record is added.

[per1os]

Try adding this to the top of the page:

 

error_reporting(E_ALL);

 

see if any warning messages are being thrown.

[suttercain]

Nope no errors... this is really throwing me for a loop.

[per1os]

I should of looked at the code closer.

 

	require ('get_connected.php');
	mysql_query ("INSERT INTO canada (f

 

That is AFTER you used mysql_real_escape_string.

 

You need to require the get_connected.php BEFORE you call mysql_real_escape_string.

[nadeemshafi9]

Just a thought, is register_globals on?

 

i think as soon as you apply the = operator the variable no longer exists whith its previouse value, eg the memory space is redied for the variable after the =

 

as soon as you say = and the first assignment eg anything even a single char wipes the mem

[nadeemshafi9]

so I tried :

 

$first_name = $_SESSION['fname'];
var_dump($first_name);
$first_name = mysql_real_escape_string($first_name);
var_dump($first_name);

 

and this is what I got:

string(7) "Shannon" bool(false)

 

Why is the string being converted to a boolean after I add the mysql_real_escape_string?

 

the mysql escape returns a bool on success or falure

[nadeemshafi9]

you are trying to insert string(7) "Shannon" bool(false) into a feild in the DB that is not INT so it is rejected most probably

 

by saying

 

$first_name = mysql_real_escape_string($first_name);

 

you are making

 

$first_name = 1 or 0, $firstname

 

this is exactly how ur variable looks

 

"fname" 0

 

this can not be inserted in to a text or varchar because it is of type INT but you may recive no error because it is mixed

 

BUT IM SURE I USE IT LIKE THIS TOO let me check OK

	$password = crypt(mysql_real_escape_string($_POST["password"]));

	$sql = "INSERT INTO users (userid, password, email, `group`) ".
	"VALUES ('".
	mysql_real_escape_string($_POST["userid"])."', '".
	$password."', "."'".
	mysql_real_escape_string($_POST["email"])."', '".
	mysql_real_escape_string($_POST["group"])."'".
	");";

a page like this is highly supceptable to XSS so be sure to check where the posts came from

[per1os]

I should of looked at the code closer.

 

	require ('get_connected.php');
	mysql_query ("INSERT INTO canada (f

 

That is AFTER you used mysql_real_escape_string.

 

You need to require the get_connected.php BEFORE you call mysql_real_escape_string.

 

That is the problem nadeemshafi9. No worries it is solved with that exert.