?
Solved

How do I use my_sql_real_escape_string successfully?

Posted on 2009-02-16
18
Medium Priority
?
353 Views
Last Modified: 2012-05-06
Hello all.

I keep getting these warnings:
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user ....(using password: NO) in .....on line 9

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in.....on line 9

When I've googled the warnings I keep seeing that I have to be connected to the database in order to use mysql_real_escape_string.  But I am pretty sure I'm connected, so below I've included the first 9 lines.  Maybe someone can help me figure out what I'm doing wrong?

Thanks,
~Amy

<?php
session_start();
 
include ("databaseinfo");\\This connects me to the db
 
$username=$_SESSION['username'];
 
$username=htmlspecialchars($username);
$username_sq=mysql_real_escape_string($username);

Open in new window

0
Comment
Question by:privateland
  • 10
  • 8
18 Comments
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 23652120
Show us your DB connection code, please
0
 

Author Comment

by:privateland
ID: 23652165
The following is the "databaseinfo.php"
<?php
	$user="user";
	$host="IP addy";
	$password="password";
	$database="Database";
$conn = mysql_connect ($host, $user, $password, $database);
 
if (!$conn) {
    echo "Unable to connect to DB: " . mysql_error();
    exit;
}
 
mysql_select_db($database, $conn);
 
if (!mysql_select_db("Database")) {
    echo "Unable to select Customer Data: " . mysql_error();
    exit;
}
 
?>

Open in new window

0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 23652181
Try this...

Also, what is your  platform?
<?php
session_start();
 
include ("databaseinfo");\\This connects me to the db
 
$username=$_SESSION['username'];
 
$username=htmlspecialchars($username);
$username_sq=mysql_real_escape_string($username, $conn);

Open in new window

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 111

Expert Comment

by:Ray Paseur
ID: 23652191
Wait a sec...

Is this:
include ("databaseinfo");\\This connects me to the db

supposed to be this:
include ("databaseinfo.php");\\This connects me to the db
0
 

Author Comment

by:privateland
ID: 23652266
Yes, that was a typo on my part.  But it is correct in my actual code.

I tried adding the $conn, and it still has the same errors.

Hmmm....
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 23652360
<quote> But it is correct in my actual code.</quote>

Then let's see the "actual code" - it makes no sense to debug something that is hypothetical.

Obscure the passwords and post the actual code, please.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 23652444
I'm wondering about that mysql_connect() command.  See the man page here:
http://us3.php.net/manual/en/function.mysql-connect.php

Not sure about that fourth argument.

Here is how I connect - and mysql_real_escape_string() works fine for me!  warning_RAY() is a local function, but the concept should be clear.
<?php // ../db_cx.php IN THE ROOT DIRECTORY (above WWW)
 
$db_host	= "localhost";
$db_name	= "n";
$db_user	= "u";
$db_word	= "p";
 
// CONNECT TO THE DATA BASE SERVER
if (!$db_connection = @mysql_connect("$db_host", "$db_user", "$db_word")) {
	$errmsg	= mysql_errno() . ' ' . mysql_error();
	echo "\n\n\n\n<!-- ! db_connection -->";
	echo "\n<!-- $errmsg -->\n\n\n\n";
	warning_RAY($errmsg);
}
 
// SELECT THE DATA BASE
if (!$db_sel = @mysql_select_db($db_name, $db_connection)) {
	$errmsg	= mysql_errno() . ' ' . mysql_error();
	echo "\n\n\n\n<!-- ! db_sel -->";
	echo "\n<!-- $errmsg -->\n\n\n\n";
	warning_RAY($errmsg);
}
 
?>

Open in new window

0
 

Author Comment

by:privateland
ID: 23652460
Sorry for the mistake.
<?php
session_start();
 
include ("databaseinfo.php");
 
$username=$_SESSION['username'];
 
$username=htmlspecialchars($username);
$username_sq=mysql_real_escape_string($username);

Open in new window

0
 

Author Comment

by:privateland
ID: 23652487
Okay, let me also say that pages before that used the same "databaseinfo.php" connected with no problem.  The only thing I changed this morning was that I added this part to make things more secure:
$username=htmlspecialchars($username);
$username_sq=mysql_real_escape_string($username);

Open in new window

0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 23652521
Please post the ACTUAL db-connect code that you have in databaseinfo.php - obscure the password.

Thanks.
0
 

Author Comment

by:privateland
ID: 23652540
Also, let me point out later that I do use Line 9 to talk to the db.  When I just used "username" instead of "username_sq" everything worked, but because I added the security, the warnings popped up.

I'm sorry if I'm not including everything.  I didn't know exactly what you needed to make heads or tails of the warnings.
$sql="SELECT * FROM Customers WHERE username='$username_sq'";
$result = mysql_query($sql);

Open in new window

0
 

Author Comment

by:privateland
ID: 23652558
I did post the actual code.  But I felt more comfortable obscuring the $user, $host, $password, and $database.  But the code itself is exact.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 23652642
Looks like your data base is named "Database" and notwithstanding the $database variable, the connection is hardwired.  This is the sort of thing that could lead to trouble.

I am almost certain you do not want the fourth argument in mysql_connect() -- please see the man page here: http://us3.php.net/manual/en/function.mysql-connect.php
<?php
        $user="user";
        $host="IP addy";
        $password="password";
        $database="Database";
$conn = mysql_connect ($host, $user, $password, $database);
 
if (!$conn) {
    echo "Unable to connect to DB: " . mysql_error();
    exit;
}
 
mysql_select_db($database, $conn);
 
if (!mysql_select_db("Database")) {
    echo "Unable to select Customer Data: " . mysql_error();
    exit;
}
 
?>

Open in new window

0
 

Author Comment

by:privateland
ID: 23652767
I see.  So it should look more like this?....
<?php
        $user="user";
        $host="IP addy";
        $password="password";
        $database="Database";
$conn = mysql_connect ($host, $user, $password);
 
if (!$conn) {
    echo "Unable to connect to DB: " . mysql_error();
    exit;
}
 
mysql_select_db($database, $conn);
 
if (!mysql_select_db("Database")) {
    echo "Unable to select Customer Data: " . mysql_error();
    exit;
}
 
?>

Open in new window

0
 

Author Comment

by:privateland
ID: 23652786
Okay, I understand that part of it a little more.  However, that doesn't do anything for my Warnings.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 23652794
Maybe more like this... Note the mysql_select_db() difference
<?php
        $user="user";
        $host="IP addy";
        $password="password";
        $database="Database";
$conn = mysql_connect ($host, $user, $password);
 
if (!$conn) {
    echo "Unable to connect to DB: " . mysql_error();
    exit;
}
 
mysql_select_db($database, $conn);
 
if (!mysql_select_db("$database")) {
    echo "Unable to select Customer Data: " . mysql_error();
    exit;
}
 
?>

Open in new window

0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 23652839
Please see the notes on this page:
http://us2.php.net/manual/en/function.mysql-real-escape-string.php

Then lets' try removing the line that says this:
$username=htmlspecialchars($username);

I'm not sure that will change things, but I can think of no reason why you would want to mung the username before inserting it into the data base, and the % signs that may wind up in there could confuse MySQL some day.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 23654028
Thanks for the points, but pray tell - what fixed it?
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we’ll look at how to deploy ProxySQL.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
The viewer will learn how to count occurrences of each item in an array.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses
Course of the Month14 days, 7 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question