suttercain Posted June 29, 2007 Share Posted June 29, 2007 Hi guys, I am trying to INSERT data into MySQL and can when I don't use mysql_real_escape_string: if(isset($_POST['submit'])){ $first_name = $_SESSION['fname']; INSERT HERE //works Now when I try to do this: if(isset($_POST['submit'])){ $first_name = $_SESSION['fname']; $first_name = mysql_real_escape_string($first_name); INSERT HERE //doesn't work Anyone know why it's not working? I ran print_r to make sure the SESSION array contained the form information and it does. When I remove mysql_real_escape_string from the variables it goes into the database but as soon as I add it it just enters blank fields. Thanks Quote Link to comment Share on other sites More sharing options...
Caesar Posted June 29, 2007 Share Posted June 29, 2007 You running at least PHP 4.3.0? Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted June 29, 2007 Share Posted June 29, 2007 Did you try catching the error? <?php $query = mysql_query($sql) or die(mysql_error()); ?> Quote Link to comment Share on other sites More sharing options...
suttercain Posted June 29, 2007 Author Share Posted June 29, 2007 Hi guys, Yeah I am running PHP 5.0 and I did try to catch the error: <?php print_r($_SESSION); //If Everything Appears to be Okay, the User Sends to the Database by clicking submit if(isset($_POST['submit'])){ $first_name = $_SESSION['fname'];//THIS ONE IS ENTERED the rest ARE NOT $last_name = mysql_real_escape_string($_SESSION['lname']); $street = mysql_real_escape_string($_SESSION['street']); $city = mysql_real_escape_string($_SESSION['city']); $state= mysql_real_escape_string($_SESSION['state']); $zip_code = mysql_real_escape_string($_SESSION['zip']); $phone = mysql_real_escape_string($_SESSION['phone']); $vehicle_year = mysql_real_escape_string($_SESSION['year']); $vehicle_make = mysql_real_escape_string($_SESSION['make']); $vehicle_model = mysql_real_escape_string($_SESSION['model']); $vin = mysql_real_escape_string($_SESSION['vin']); $phone = mysql_real_escape_string($_SESSION['phone']); $letter_requested = date('l F jS, Y'); $time = date('g:i A'); $next_month = date('l F jS, Y', strtotime("+28 day", time())); echo $first_name; require ('get_connected.php'); mysql_query ("INSERT INTO canada (first_name, last_name, street, city, state, zip_code, phone, vehicle_year, vehicle_make, vehicle_model, vin, letter_requested, time) VALUES ('$first_name', '$last_name', '$street', '$city', '$state', '$zip_code', '$phone','$vehicle_year', '$vehicle_make', '$vehicle_model', '$vin', '$letter_requested', '$time')") or die('Error In Query: '.mysql_error()); echo "Thank You, $first_name $last_name.<br> Your information was submitted on $date. If we have any questions we will contact you at $phone.<br> If you do not recieve your letter by $next_month, please call us at 1-800-242-4450."; } else { echo "There was an error submitting your information. Please try again later or call us at 1-800-333-3333."; } ?> Any other ideas? Quote Link to comment Share on other sites More sharing options...
Hypnos Posted June 29, 2007 Share Posted June 29, 2007 Make sure you have a mysql_connect before you use mysql_real_escape_string. If you do, try doing a var dump before and after. Make sure it's actually returning something. $first_name = $_SESSION['fname']; var_dump($first_name); $first_name = mysql_real_escape_string($first_name); var_dump($first_name); Quote Link to comment Share on other sites More sharing options...
per1os Posted June 29, 2007 Share Posted June 29, 2007 Wouldn't it be $_POST instead of $_SESSION ??? Quote Link to comment Share on other sites More sharing options...
suttercain Posted June 29, 2007 Author Share Posted June 29, 2007 Hi Frost, no I am storing the variables in sessions, again this works : $first_name = $_SESSION['fname']; and I do have <?php session_start(); ?> before the headers are sent. I am going to try that var dump... but something is happening when I add the mysql_real_escape_strings. Before I add that I can echo that data that was stored in the session print_r($_SESSION) yields the correct data stored in the array, but if I add mysql_real_escape_strings to any of the variables it now "empties" the variable and no data can be echoed or inserted into the database. Quote Link to comment Share on other sites More sharing options...
nadeemshafi9 Posted June 29, 2007 Share Posted June 29, 2007 first try $first_name = $_SESSION['fname']; $first_name = mysql_real_escape_string($first_name); print $first_name; to see what it has become then try $first_name = $_SESSION['fname']; $first_name_sanitised = mysql_real_escape_string($first_name); then try instead of assigning $first_name = mysql_real_escape_string($first_name); put the mysql_real_escape_string($first_name); directly into the SQL statment. maybe by doing this $first_name = mysql_real_escape_string($_SESSION['fname']);//THIS ONE IS ENTERED the rest ARE NOT maybe you somhow do somthing to the session array and damage the rest maybe this is because you put the session[] directly into the escape string function try putting it in a var and then putting that var into the escape function. Quote Link to comment Share on other sites More sharing options...
nadeemshafi9 Posted June 29, 2007 Share Posted June 29, 2007 Make sure you have a mysql_connect before you use mysql_real_escape_string. If you do, try doing a var dump before and after. Make sure it's actually returning something. $first_name = $_SESSION['fname']; var_dump($first_name); $first_name = mysql_real_escape_string($first_name); var_dump($first_name); hay i didnt know about var dump good idea Quote Link to comment Share on other sites More sharing options...
suttercain Posted June 29, 2007 Author Share Posted June 29, 2007 this worked $first_name = $_SESSION['fname']; $first_name_sanitised = mysql_real_escape_string($first_name); echo $first_name_sanitised; but in thoery (and other pages I have worked on) this should work: $first_name = $_SESSION['fname']; $first_name_sanitised = mysql_real_escape_string($first_name); echo $first_name; right? Thanks for your help! Quote Link to comment Share on other sites More sharing options...
pocobueno1388 Posted June 29, 2007 Share Posted June 29, 2007 Don't forget to solve the topic EDIT: Or not, sorry. Quote Link to comment Share on other sites More sharing options...
per1os Posted June 29, 2007 Share Posted June 29, 2007 Just a thought, is register_globals on? Quote Link to comment Share on other sites More sharing options...
suttercain Posted June 29, 2007 Author Share Posted June 29, 2007 so I tried : $first_name = $_SESSION['fname']; var_dump($first_name); $first_name = mysql_real_escape_string($first_name); var_dump($first_name); and this is what I got: string(7) "Shannon" bool(false) Why is the string being converted to a boolean after I add the mysql_real_escape_string? Quote Link to comment Share on other sites More sharing options...
suttercain Posted June 29, 2007 Author Share Posted June 29, 2007 the register_globals are off Quote Link to comment Share on other sites More sharing options...
per1os Posted June 29, 2007 Share Posted June 29, 2007 Notes Note: A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used. Note: If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice. Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks. Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE. You do have a database connection initiated don't you? Quote Link to comment Share on other sites More sharing options...
suttercain Posted June 29, 2007 Author Share Posted June 29, 2007 Yes. I have require ('get_connected.php'); I know it works because when I remove the mysql_real_escape_string all the data is placed into the database. But when I add mysql_real_escape_string around the variables it now appears to turn them into a boolean and a blank record is added. Quote Link to comment Share on other sites More sharing options...
per1os Posted June 29, 2007 Share Posted June 29, 2007 Try adding this to the top of the page: error_reporting(E_ALL); see if any warning messages are being thrown. Quote Link to comment Share on other sites More sharing options...
suttercain Posted June 29, 2007 Author Share Posted June 29, 2007 Nope no errors... this is really throwing me for a loop. Quote Link to comment Share on other sites More sharing options...
per1os Posted June 29, 2007 Share Posted June 29, 2007 I should of looked at the code closer. require ('get_connected.php'); mysql_query ("INSERT INTO canada (f That is AFTER you used mysql_real_escape_string. You need to require the get_connected.php BEFORE you call mysql_real_escape_string. Quote Link to comment Share on other sites More sharing options...
nadeemshafi9 Posted June 29, 2007 Share Posted June 29, 2007 Just a thought, is register_globals on? i think as soon as you apply the = operator the variable no longer exists whith its previouse value, eg the memory space is redied for the variable after the = as soon as you say = and the first assignment eg anything even a single char wipes the mem Quote Link to comment Share on other sites More sharing options...
nadeemshafi9 Posted June 29, 2007 Share Posted June 29, 2007 so I tried : $first_name = $_SESSION['fname']; var_dump($first_name); $first_name = mysql_real_escape_string($first_name); var_dump($first_name); and this is what I got: string(7) "Shannon" bool(false) Why is the string being converted to a boolean after I add the mysql_real_escape_string? the mysql escape returns a bool on success or falure Quote Link to comment Share on other sites More sharing options...
nadeemshafi9 Posted June 29, 2007 Share Posted June 29, 2007 you are trying to insert string(7) "Shannon" bool(false) into a feild in the DB that is not INT so it is rejected most probably by saying $first_name = mysql_real_escape_string($first_name); you are making $first_name = 1 or 0, $firstname this is exactly how ur variable looks "fname" 0 this can not be inserted in to a text or varchar because it is of type INT but you may recive no error because it is mixed BUT IM SURE I USE IT LIKE THIS TOO let me check OK $password = crypt(mysql_real_escape_string($_POST["password"])); $sql = "INSERT INTO users (userid, password, email, `group`) ". "VALUES ('". mysql_real_escape_string($_POST["userid"])."', '". $password."', "."'". mysql_real_escape_string($_POST["email"])."', '". mysql_real_escape_string($_POST["group"])."'". ");"; a page like this is highly supceptable to XSS so be sure to check where the posts came from Quote Link to comment Share on other sites More sharing options...
per1os Posted June 29, 2007 Share Posted June 29, 2007 I should of looked at the code closer. require ('get_connected.php'); mysql_query ("INSERT INTO canada (f That is AFTER you used mysql_real_escape_string. You need to require the get_connected.php BEFORE you call mysql_real_escape_string. That is the problem nadeemshafi9. No worries it is solved with that exert. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.