privateland
asked on
How do I use my_sql_real_escape_string successfully?
Hello all.
I keep getting these warnings:
Warning: mysql_real_escape_string() [function.mysql-real-escap e-string]: Access denied for user ....(using password: NO) in .....on line 9
Warning: mysql_real_escape_string() [function.mysql-real-escap e-string]: A link to the server could not be established in.....on line 9
When I've googled the warnings I keep seeing that I have to be connected to the database in order to use mysql_real_escape_string. But I am pretty sure I'm connected, so below I've included the first 9 lines. Maybe someone can help me figure out what I'm doing wrong?
Thanks,
~Amy
I keep getting these warnings:
Warning: mysql_real_escape_string()
Warning: mysql_real_escape_string()
When I've googled the warnings I keep seeing that I have to be connected to the database in order to use mysql_real_escape_string. But I am pretty sure I'm connected, so below I've included the first 9 lines. Maybe someone can help me figure out what I'm doing wrong?
Thanks,
~Amy
<?php
session_start();
include ("databaseinfo");\\This connects me to the db
$username=$_SESSION['username'];
$username=htmlspecialchars($username);
$username_sq=mysql_real_escape_string($username);
Show us your DB connection code, please
ASKER
The following is the "databaseinfo.php"
<?php
$user="user";
$host="IP addy";
$password="password";
$database="Database";
$conn = mysql_connect ($host, $user, $password, $database);
if (!$conn) {
echo "Unable to connect to DB: " . mysql_error();
exit;
}
mysql_select_db($database, $conn);
if (!mysql_select_db("Database")) {
echo "Unable to select Customer Data: " . mysql_error();
exit;
}
?>
Try this...
Also, what is your platform?
Also, what is your platform?
<?php
session_start();
include ("databaseinfo");\\This connects me to the db
$username=$_SESSION['username'];
$username=htmlspecialchars($username);
$username_sq=mysql_real_escape_string($username, $conn);
Wait a sec...
Is this:
include ("databaseinfo");\\This connects me to the db
supposed to be this:
include ("databaseinfo.php");\\Thi s connects me to the db
Is this:
include ("databaseinfo");\\This connects me to the db
supposed to be this:
include ("databaseinfo.php");\\Thi
ASKER
Yes, that was a typo on my part. But it is correct in my actual code.
I tried adding the $conn, and it still has the same errors.
Hmmm....
I tried adding the $conn, and it still has the same errors.
Hmmm....
<quote> But it is correct in my actual code.</quote>
Then let's see the "actual code" - it makes no sense to debug something that is hypothetical.
Obscure the passwords and post the actual code, please.
Then let's see the "actual code" - it makes no sense to debug something that is hypothetical.
Obscure the passwords and post the actual code, please.
I'm wondering about that mysql_connect() command. See the man page here:
http://us3.php.net/manual/en/function.mysql-connect.php
Not sure about that fourth argument.
Here is how I connect - and mysql_real_escape_string() works fine for me! warning_RAY() is a local function, but the concept should be clear.
http://us3.php.net/manual/en/function.mysql-connect.php
Not sure about that fourth argument.
Here is how I connect - and mysql_real_escape_string()
<?php // ../db_cx.php IN THE ROOT DIRECTORY (above WWW)
$db_host = "localhost";
$db_name = "n";
$db_user = "u";
$db_word = "p";
// CONNECT TO THE DATA BASE SERVER
if (!$db_connection = @mysql_connect("$db_host", "$db_user", "$db_word")) {
$errmsg = mysql_errno() . ' ' . mysql_error();
echo "\n\n\n\n<!-- ! db_connection -->";
echo "\n<!-- $errmsg -->\n\n\n\n";
warning_RAY($errmsg);
}
// SELECT THE DATA BASE
if (!$db_sel = @mysql_select_db($db_name, $db_connection)) {
$errmsg = mysql_errno() . ' ' . mysql_error();
echo "\n\n\n\n<!-- ! db_sel -->";
echo "\n<!-- $errmsg -->\n\n\n\n";
warning_RAY($errmsg);
}
?>
ASKER
Sorry for the mistake.
<?php
session_start();
include ("databaseinfo.php");
$username=$_SESSION['username'];
$username=htmlspecialchars($username);
$username_sq=mysql_real_escape_string($username);
ASKER
Okay, let me also say that pages before that used the same "databaseinfo.php" connected with no problem. The only thing I changed this morning was that I added this part to make things more secure:
$username=htmlspecialchars($username);
$username_sq=mysql_real_escape_string($username);
Please post the ACTUAL db-connect code that you have in databaseinfo.php - obscure the password.
Thanks.
Thanks.
ASKER
Also, let me point out later that I do use Line 9 to talk to the db. When I just used "username" instead of "username_sq" everything worked, but because I added the security, the warnings popped up.
I'm sorry if I'm not including everything. I didn't know exactly what you needed to make heads or tails of the warnings.
I'm sorry if I'm not including everything. I didn't know exactly what you needed to make heads or tails of the warnings.
$sql="SELECT * FROM Customers WHERE username='$username_sq'";
$result = mysql_query($sql);
ASKER
I did post the actual code. But I felt more comfortable obscuring the $user, $host, $password, and $database. But the code itself is exact.
Looks like your data base is named "Database" and notwithstanding the $database variable, the connection is hardwired. This is the sort of thing that could lead to trouble.
I am almost certain you do not want the fourth argument in mysql_connect() -- please see the man page here: http://us3.php.net/manual/en/function.mysql-connect.php
I am almost certain you do not want the fourth argument in mysql_connect() -- please see the man page here: http://us3.php.net/manual/en/function.mysql-connect.php
<?php
$user="user";
$host="IP addy";
$password="password";
$database="Database";
$conn = mysql_connect ($host, $user, $password, $database);
if (!$conn) {
echo "Unable to connect to DB: " . mysql_error();
exit;
}
mysql_select_db($database, $conn);
if (!mysql_select_db("Database")) {
echo "Unable to select Customer Data: " . mysql_error();
exit;
}
?>
ASKER
I see. So it should look more like this?....
<?php
$user="user";
$host="IP addy";
$password="password";
$database="Database";
$conn = mysql_connect ($host, $user, $password);
if (!$conn) {
echo "Unable to connect to DB: " . mysql_error();
exit;
}
mysql_select_db($database, $conn);
if (!mysql_select_db("Database")) {
echo "Unable to select Customer Data: " . mysql_error();
exit;
}
?>
ASKER
Okay, I understand that part of it a little more. However, that doesn't do anything for my Warnings.
Maybe more like this... Note the mysql_select_db() difference
<?php
$user="user";
$host="IP addy";
$password="password";
$database="Database";
$conn = mysql_connect ($host, $user, $password);
if (!$conn) {
echo "Unable to connect to DB: " . mysql_error();
exit;
}
mysql_select_db($database, $conn);
if (!mysql_select_db("$database")) {
echo "Unable to select Customer Data: " . mysql_error();
exit;
}
?>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks for the points, but pray tell - what fixed it?