mysql_real_escape_string issue

kurt.santo · May 1, 2008

I have input and select fields where I store the $_POST value for example as:

$country = escape_data($_POST['country']);

The function is:

function escape_data ($data) {	// address magic quotes.	if (ini_get('magic_quotes_gpc')) {		$data = stripslashes($data);	}	// check for mysql_real_escape_string() support	if (function_exists('mysql_real_escape_string')) {		global $dbc; // need the connection		$data = mysql_real_escape_string (trim($data), $dbc);	} else {		$data = mysql_escape_string (trim($data));	}	// return escaped value		return $data;

Each time I want to submit my data I receive for each field the error:mysql_real_escape_string() expects parameter 2 to be resource, object given Why is that?KurtPS Reason for edit. Thought first it just does it for one field, but actually does it for any submitted field on that form

Synook · May 1, 2008

You need to connect to a database first and have the MySQL connection resource stored to $dbc. You can just express it as

$data = mysql_real_escape_string (trim($data));

The resource is implied unless explicitly passed.

kurt.santo · May 1, 2008

You need to connect to a database first and have the MySQL connection resource stored to $dbc. You can just express it as

if ($dbc = mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD)) { // establish connnection.	if (!mysqli_select_db ($dbc,DB_NAME)) { // if cannot select database		// handle  error		trigger_error("Could not select the database!\n<br />MySQL Error: " . mysql_error());		// print message, include footer and exit.		exit();	} // End of mysql_select_db IF.} else { // if couldn't connect to MySQL	// print message, include footer and exit	trigger_error("Could not connect to MySQL!\n<br />MySQL Error: " . mysql_error());	exit();} // function to escape the data.function escape_data ($data) {	// address magic quotes.	if (ini_get('magic_quotes_gpc')) {		$data = stripslashes($data);	}	// check for mysql_real_escape_string() support	if (function_exists('mysql_real_escape_string')) {		global $dbc; // need the connection		$data = mysql_real_escape_string (trim($data), $dbc);	} else {		$data = mysql_escape_string (trim($data));	}	// return escaped value		return $data;} ?>

I open the file, it shows ok (including bits from database) and as soon as I try to submit any data the error message appears...KUrt

Synook · May 1, 2008

Try just removing the second parameter of your mysql_real_escape_string() call.

kurt.santo · May 1, 2008

Try just removing the second parameter of your mysql_real_escape_string() call.

You mean removing $dbc from "$data = mysql_real_escape_string (trim($data), $dbc);"?Kurt

Synook · May 1, 2008

mhmm

kurt.santo · May 1, 2008

mhmm

Tried that, but then it refuses access to database...Kurt

Synook · May 1, 2008

what error do you get?

kurt.santo · May 1, 2008

what error do you get?

mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'user'@'localhost' (using password: NO) with the modified function to read:

function escape_data ($data) {	// address magic quotes.	if (ini_get('magic_quotes_gpc')) {		$data = stripslashes($data);	}	// check for mysql_real_escape_string() support	if (function_exists('mysql_real_escape_string')) {		global $dbc; // need the connection		$data = mysql_real_escape_string (trim($data));	} else {		$data = mysql_escape_string (trim($data));	}	// return escaped value		return $data;}

Kurt

Synook · May 1, 2008

Make sure you are calling the function after you connect to the database. That seemed so from your connect script, but that error would indicate that either you are not connecting first or there is an error with your connection... hmm... what does your complete code look like?

kurt.santo · May 1, 2008

Make sure you are calling the function after you connect to the database. That seemed so from your connect script, but that error would indicate that either you are not connecting first or there is an error with your connection... hmm... what does your complete code look like?

require_once for the file with db connection is first I am calling. Complete content of file to be included is (only db connect constants at top are missing):

DEFINE ('DB_NAME', 'web55-makeup');if ($dbc = mysqli_connect (DB_HOST, DB_USER, DB_PASSWORD)) { // establish connnection.	if (!mysqli_select_db ($dbc,DB_NAME)) { // if cannot select database		// handle  error		trigger_error("Could not select the database!\n<br />MySQL Error: " . mysql_error());		// print message, include footer and exit.		exit();	} // End of mysql_select_db IF.} else { // if couldn't connect to MySQL	// print message, include footer and exit	trigger_error("Could not connect to MySQL!\n<br />MySQL Error: " . mysql_error());	exit();} // function to escape the data.function escape_data ($data) {	// address magic quotes.	if (ini_get('magic_quotes_gpc')) {		$data = stripslashes($data);	}	// check for mysql_real_escape_string() support	if (function_exists('mysql_real_escape_string')) {		global $dbc; // need the connection		$data = mysql_real_escape_string (trim($data));	} else {		$data = mysql_escape_string (trim($data));	}	// return escaped value		return $data;}

With line $data = mysql_real_escape_string (trim($data), $dbc); I get error "mysql_real_escape_string() expects parameter 2 to be resource, object given", but content from database (in different place I display content from same db) is showing fine. I used before the mysql extension, which was working fine and since I use mysqli the problem showed up. Maybe this gives you an idea why that is? I do not have a clue...Kurt

justsomeguy · May 1, 2008

The first issue was because you were connecting using mysqli_connect and then using mysql_real_escape_string, you're mixing mysql and mysqli again. You can use mysqli_real_escape_string with your $dbc connection object. Note the parameters are in the opposite order.http://www.php.net/manual/en/mysqli.real-escape-string.php

kurt.santo · May 1, 2008

The first issue was because you were connecting using mysqli_connect and then using mysql_real_escape_string, you're mixing mysql and mysqli again. You can use mysqli_real_escape_string with your $dbc connection object. Note the parameters are in the opposite order.http://www.php.net/manual/en/mysqli.real-escape-string.php

Oh, not again. It always happens... Still, change all to:

// function to escape the data.function escape_data ($data) {	// address magic quotes.	if (ini_get('magic_quotes_gpc')) {		$data = stripslashes($data);	}	// check for mysql_real_escape_string() support	if (function_exists('mysqli_real_escape_string')) {		global $dbc; // need the connection		$data = mysqli_real_escape_string ($dbc, trim($data));	} else {		$data = mysqli_escape_string (trim($data));	}	// return escaped value		return $data;}

Now I get lots of error messages. When I first used the file without the mysqli as:

if ($dbc = mysql_connect (DB_HOST, DB_USER, DB_PASSWORD)) { // make  connnection	if (!mysql_select_db (DB_NAME)) { // if it can't select the database		// handle the error		trigger_error("Could not select the database!\n<br />MySQL Error: " . mysql_error());		// print a message to the user and kill the script.		exit();	} // end of mysql_select_db IF} else { // if it couldn't connect to MySQL	// print a message to the user and kill the script	trigger_error("Could not connect to MySQL!\n<br />MySQL Error: " . mysql_error());	exit();} // end of $dbc IF// function for escaping  datafunction escape_data ($data) {	// Magic Quotes.	if (ini_get('magic_quotes_gpc')) {		$data = stripslashes($data);	}	// check for mysql_real_escape_string() support	if (function_exists('mysql_real_escape_string')) {		global $dbc; // need  connection		$data = mysql_real_escape_string (trim($data), $dbc);	} else {		$data = mysql_escape_string (trim($data));	}	// return the escaped value		return $data;} // end of function

all was fine. It is just that I had two different connect files (one with mysqli and one without), which I considered to be not a good idea. So, I changed into one connect file with the given problems...For example, line:$result = mysqli_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());(line before $query = "SELECT user_id FROM users WHERE email='$email'" now throws: mysqli_query() expects at least 2 parameters, 1 given What is going wrong here? I do not understand...Kurt

justsomeguy · May 1, 2008

First, about this:$data = mysqli_real_escape_string ($dbc, trim($data)); } else { $data = mysqli_escape_string (trim($data));Both mysqli_real_escape_string and mysqli_escape_string are the same function, one is just an alias for the other. Both of them take the same parameters and if one is defined they will both be defined.About the other error, look at the doc page, nearly all of the mysqli functions require you to send the connection object as well if you're using the procedural version instead of the object-oriented version.http://www.php.net/manual/en/mysqli.query.php

kurt.santo · May 1, 2008

Had to edit, because looks like this is working now. Forgot also to amend:if (mysqli_affected_rows() == 1)toif (mysqli_affected_rows($dbc) == 1)Thank a 1000-lot for your help,Kurt

mysql_real_escape_string issue

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived