We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

How do I use my_sql_real_escape_string successfully?

privateland
privateland asked
on
Medium Priority
365 Views
Last Modified: 2012-05-06
Hello all.

I keep getting these warnings:
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user ....(using password: NO) in .....on line 9

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in.....on line 9

When I've googled the warnings I keep seeing that I have to be connected to the database in order to use mysql_real_escape_string.  But I am pretty sure I'm connected, so below I've included the first 9 lines.  Maybe someone can help me figure out what I'm doing wrong?

Thanks,
~Amy

<?php
session_start();
 
include ("databaseinfo");\\This connects me to the db
 
$username=$_SESSION['username'];
 
$username=htmlspecialchars($username);
$username_sq=mysql_real_escape_string($username);

Open in new window

Comment
Watch Question

Most Valuable Expert 2011
Author of the Year 2014

Commented:
Show us your DB connection code, please

Author

Commented:
The following is the "databaseinfo.php"
<?php
	$user="user";
	$host="IP addy";
	$password="password";
	$database="Database";
$conn = mysql_connect ($host, $user, $password, $database);
 
if (!$conn) {
    echo "Unable to connect to DB: " . mysql_error();
    exit;
}
 
mysql_select_db($database, $conn);
 
if (!mysql_select_db("Database")) {
    echo "Unable to select Customer Data: " . mysql_error();
    exit;
}
 
?>

Open in new window

Most Valuable Expert 2011
Author of the Year 2014

Commented:
Try this...

Also, what is your  platform?
<?php
session_start();
 
include ("databaseinfo");\\This connects me to the db
 
$username=$_SESSION['username'];
 
$username=htmlspecialchars($username);
$username_sq=mysql_real_escape_string($username, $conn);

Open in new window

Most Valuable Expert 2011
Author of the Year 2014

Commented:
Wait a sec...

Is this:
include ("databaseinfo");\\This connects me to the db

supposed to be this:
include ("databaseinfo.php");\\This connects me to the db

Author

Commented:
Yes, that was a typo on my part.  But it is correct in my actual code.

I tried adding the $conn, and it still has the same errors.

Hmmm....
Most Valuable Expert 2011
Author of the Year 2014

Commented:
<quote> But it is correct in my actual code.</quote>

Then let's see the "actual code" - it makes no sense to debug something that is hypothetical.

Obscure the passwords and post the actual code, please.
Most Valuable Expert 2011
Author of the Year 2014

Commented:
I'm wondering about that mysql_connect() command.  See the man page here:
http://us3.php.net/manual/en/function.mysql-connect.php

Not sure about that fourth argument.

Here is how I connect - and mysql_real_escape_string() works fine for me!  warning_RAY() is a local function, but the concept should be clear.
<?php // ../db_cx.php IN THE ROOT DIRECTORY (above WWW)
 
$db_host	= "localhost";
$db_name	= "n";
$db_user	= "u";
$db_word	= "p";
 
// CONNECT TO THE DATA BASE SERVER
if (!$db_connection = @mysql_connect("$db_host", "$db_user", "$db_word")) {
	$errmsg	= mysql_errno() . ' ' . mysql_error();
	echo "\n\n\n\n<!-- ! db_connection -->";
	echo "\n<!-- $errmsg -->\n\n\n\n";
	warning_RAY($errmsg);
}
 
// SELECT THE DATA BASE
if (!$db_sel = @mysql_select_db($db_name, $db_connection)) {
	$errmsg	= mysql_errno() . ' ' . mysql_error();
	echo "\n\n\n\n<!-- ! db_sel -->";
	echo "\n<!-- $errmsg -->\n\n\n\n";
	warning_RAY($errmsg);
}
 
?>

Open in new window

Author

Commented:
Sorry for the mistake.
<?php
session_start();
 
include ("databaseinfo.php");
 
$username=$_SESSION['username'];
 
$username=htmlspecialchars($username);
$username_sq=mysql_real_escape_string($username);

Open in new window

Author

Commented:
Okay, let me also say that pages before that used the same "databaseinfo.php" connected with no problem.  The only thing I changed this morning was that I added this part to make things more secure:
$username=htmlspecialchars($username);
$username_sq=mysql_real_escape_string($username);

Open in new window

Most Valuable Expert 2011
Author of the Year 2014

Commented:
Please post the ACTUAL db-connect code that you have in databaseinfo.php - obscure the password.

Thanks.

Author

Commented:
Also, let me point out later that I do use Line 9 to talk to the db.  When I just used "username" instead of "username_sq" everything worked, but because I added the security, the warnings popped up.

I'm sorry if I'm not including everything.  I didn't know exactly what you needed to make heads or tails of the warnings.
$sql="SELECT * FROM Customers WHERE username='$username_sq'";
$result = mysql_query($sql);

Open in new window

Author

Commented:
I did post the actual code.  But I felt more comfortable obscuring the $user, $host, $password, and $database.  But the code itself is exact.
Most Valuable Expert 2011
Author of the Year 2014

Commented:
Looks like your data base is named "Database" and notwithstanding the $database variable, the connection is hardwired.  This is the sort of thing that could lead to trouble.

I am almost certain you do not want the fourth argument in mysql_connect() -- please see the man page here: http://us3.php.net/manual/en/function.mysql-connect.php
<?php
        $user="user";
        $host="IP addy";
        $password="password";
        $database="Database";
$conn = mysql_connect ($host, $user, $password, $database);
 
if (!$conn) {
    echo "Unable to connect to DB: " . mysql_error();
    exit;
}
 
mysql_select_db($database, $conn);
 
if (!mysql_select_db("Database")) {
    echo "Unable to select Customer Data: " . mysql_error();
    exit;
}
 
?>

Open in new window

Author

Commented:
I see.  So it should look more like this?....
<?php
        $user="user";
        $host="IP addy";
        $password="password";
        $database="Database";
$conn = mysql_connect ($host, $user, $password);
 
if (!$conn) {
    echo "Unable to connect to DB: " . mysql_error();
    exit;
}
 
mysql_select_db($database, $conn);
 
if (!mysql_select_db("Database")) {
    echo "Unable to select Customer Data: " . mysql_error();
    exit;
}
 
?>

Open in new window

Author

Commented:
Okay, I understand that part of it a little more.  However, that doesn't do anything for my Warnings.
Most Valuable Expert 2011
Author of the Year 2014

Commented:
Maybe more like this... Note the mysql_select_db() difference
<?php
        $user="user";
        $host="IP addy";
        $password="password";
        $database="Database";
$conn = mysql_connect ($host, $user, $password);
 
if (!$conn) {
    echo "Unable to connect to DB: " . mysql_error();
    exit;
}
 
mysql_select_db($database, $conn);
 
if (!mysql_select_db("$database")) {
    echo "Unable to select Customer Data: " . mysql_error();
    exit;
}
 
?>

Open in new window

Most Valuable Expert 2011
Author of the Year 2014
Commented:
Please see the notes on this page:
http://us2.php.net/manual/en/function.mysql-real-escape-string.php

Then lets' try removing the line that says this:
$username=htmlspecialchars($username);

I'm not sure that will change things, but I can think of no reason why you would want to mung the username before inserting it into the data base, and the % signs that may wind up in there could confuse MySQL some day.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Most Valuable Expert 2011
Author of the Year 2014

Commented:
Thanks for the points, but pray tell - what fixed it?
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.