PHP - Coding Error : Mysql_real_escape_string
Could someone tell what's wrong here?
$abc =sprintf("INSERT INTO my_db1 (username, password, firstname, company, email) VALUES ('%s', '%s', '%s', '%s', '%s'", mysql_real_escape_string($username), mysql_real_escape_string($password, mysql_real_escape_string($surname, mysql_real_escape_string($firstname, mysql_real_escape_string($company, mysql_real_escape_string($email))); $resultg = mysql_query($abc); Thanks! Similar TutorialsI keep getting the following error: Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established With this code: <?php $level = $_POST[level]; $first = $_POST[first]; $second = $_POST[second]; $third = $_POST[third]; $fourth = $_POST[fourth]; $mysqli = new mysqli("*****", "*****", "******", "********"); if ($mysqli === false) { die("ERROR: Could not connect to database. " . mysqli_connect_error()); } $vidlink=mysql_real_escape_string($_POST[vidlink]); $title=mysql_real_escape_string($_POST[title]); $des=mysql_real_escape_string($_POST[des]); $website=mysql_real_escape_string($_POST[website]); $cat= mysql_real_escape_string($first . $second . $third . $fourth); why won't it work? I am working on a project at the end of a text book called Beginning PHP MySQL Development which is published by Pawprints Learning Technologies. I am developing the files in NetBeans and using WAMP server. I get this error from the process_insert.php file "Deprecated: MySQL_real_escape_string():..."
I can't copy and paste so I attached my files. Can anyone help?
Attached Files
Add Product_php.htm 1.94KB
1 downloads
index.php 1.24KB
0 downloads
add_product.php 1.33KB
0 downloads
process_insert.php 1.19KB
0 downloads
db.connect.php 185bytes
0 downloads Hi can anyone please tell me what is wrong with this code? It is an index.php file. I think I might have accidentally deleted something somewhere between line 12 & 13? Please help my whole website is down because of it. I am not a programmer and I was trying to do a 301 redirect. It didn't work obviously, so I removed the script that I entered and saved the file again, but it is still not working. I am trying to run the following code -------------------------- $result = mysql_query("SELECT * FROM indiatutors_profiles WHERE id='$id' ") or die(mysql_error()); while($row=mysql_fetch_array($result)){ $email =$row[email]; } echo $email; ---------------------------- It gives me the following error Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in website_path/profiles.php on line 7 The funny thing about the code is that inspite of giving the error, it outputs the email correctly based upon the id which it shouldn't have done if their was some error I am using X cart and I have tried add function that hide price until customers log in. so I added following codes to my files with notepad but I am keep getting smarty errors Error: Smarty error: [in customer/main/products_t.tpl line 161]: syntax error: 'if' statement requires arguments (Smarty_Compiler.class.php, line 1270) in /home1/lemielfa/public_html/include/lib/smarty/Smarty.class.php on line 1092 Here's Smarty.class.php line 1092 ------------------------------------------------------------------------------------------------------------------------------------- * @param string $error_msg * @param integer $error_type */ function trigger_error($error_msg, $error_type = E_USER_WARNING) { (line1092----->)trigger_error("Smarty error: $error_msg", $error_type); } /** * executes & displays the template results -------------------------------------------------------------------------------------------------------------------------------- This was my first time adding some code to my web, I hope I didn't screw up that much...... Thank You David ---------------------------------------------------------------------------------------- Following Code ADDED /b] 1. Apply following SQL statements either from your cart admin/patch area or myphpadmin. This will place 2 controls in General Settings / General options in Common options. The first one will allow you to turn this mod on/off Code: INSERT INTO `xcart_config` (`name`, `comment`, `value`, `category`, `orderby`, `type`, `defvalue`, `variants`, `validation`) VALUES ('cflsys_hide_prices', 'Hide prices for non-logged in customers (this will also hide quantity box, "buy now" and "add to cart" buttons)', 'N', 'General', 75, 'checkbox', 'N', '', ''); INSERT INTO `xcart_config` (`name`, `comment`, `value`, `category`, `orderby`, `type`, `defvalue`, `variants`, `validation`) VALUES ('cflsys_hide_prices_message', 'Show this optional message if the option "Hide prices" is enabled', 'You need to login in order to see prices and place orders.', 'General', 76, 'text', '', '', ''); 2. Add to init.php at the end of the file just before PHP Code: # # WARNING ! # Please ensure that you have no whitespaces / empty lines below this message. # Adding a whitespace or an empty line below this line will cause a PHP error. # this PHP Code: # added by CFL Systems for hide prices if customer not logged in $smarty->assign("cflsys_hide_prices",$config['General']['cflsys_hide_prices']); $smarty->assign("cflsys_hide_prices_message",$config['General']['cflsys_hide_prices_message']); # added by CFL Systems for hide prices if customer not logged in 3. In skin1/customer/main/products.tpl find Code: {if $config.Appearance.products_per_row && ($featured eq "Y" || $config.Appearance.featured_only_multicolumn eq "N")} {include file="customer/main/products_t.tpl"} {else} {include file="customer/main/products_list.tpl"} {/if}and before add Code: {* added by CFL Systems to hide prices if customer not logged in *} {if $login eq "" && $cflsys_hide_prices eq "Y"} {if $cflsys_hide_prices_message ne ""} <div style="color: red; margin: 5px 0; padding: 5px 5px 5px 10px; border: 1px solid #cccccc;">{$cflsys_hide_prices_message}</div> {/if} {/if} {* added by CFL Systems to hide prices if customer not logged in *} 4. In skin1/customer/main/product.tpl (skin1/customer/main/product_details.tpl for 4.3.x, code may be slightly different) find this Code: <tr> <td class="property-name product-price">{$lng.lbl_price}:</td> <td class="property-value"> and before add Code: {* added by CFL Systems to hide prices if customer not logged in *} {if $login eq "" && $cflsys_hide_prices eq "Y"} $nbsp; {else} {* added by CFL Systems to hide prices if customer not logged in *} then find Code: {if $product.forsale ne "B"} <tr> <td colspan="2"> {include file="customer/main/product_prices.tpl"} </td> </tr> {/if}and after add Code: {* added by CFL Systems to hide prices if customer not logged in *} {if} {* added by CFL Systems to hide prices if customer not logged in *} then find Code: <tr> <td class="property-name product-input"> {$lng.lbl_quantity}and before add Code: {* added by CFL Systems to hide prices if customer not logged in *} {if $login eq "" && $cflsys_hide_prices eq "Y"} <tr> <td colspan="2"> {if $cflsys_hide_prices_message ne ""} {$cflsys_hide_prices_message} {else} {/if} </td> </tr> {else} {* added by CFL Systems to hide prices if customer not logged in *}then find Code: {/if} </table> and before add Code: {* added by CFL Systems to hide prices if customer not logged in *} {if} {* added by CFL Systems to hide prices if customer not logged in *}then find Code: {if $product.appearance.buy_now_buttons_enabled}and before add Code: {* added by CFL Systems to hide prices if customer not logged in *} {if $login eq "" && $cflsys_hide_prices eq "Y"} $nbsp; {else} {* added by CFL Systems to hide prices if customer not logged in *}then find Code: </form>and before add Code: {* added by CFL Systems to hide prices if customer not logged in *} {if} {* added by CFL Systems to hide prices if customer not logged in *} 5. In skin1/customer/main/products_list.tpl find Code: {if $product.product_type eq "C"} {include file="customer/buttons/details.tpl" href=$url} {else}and after add Code: {* added by CFL Systems to hide prices if customer not logged in *} {if $login eq "" && $cflsys_hide_prices eq "Y"} $nbsp; {else} {* added by CFL Systems to hide prices if customer not logged in *} then find Code: {/if} </div> <div class="clearing"></div>and before add Code: {* added by CFL Systems to hide prices if customer not logged in *} {if} {* added by CFL Systems to hide prices if customer not logged in *} 6. In skin1/customer/main/products_t.tpl find Code: <tr> {foreach from=$row item=product} {if $product} <td class="product-cell product-cell-price"> {if $product.product_type ne "C"} {if $active_modules.Subscriptions ne "" && $product.catalogprice} and before add Code: {if $login eq "" && $cflsys_hide_prices eq "Y"} <tr> <td colspan="2"> </td> </tr> {else} {* added by CFL Systems to hide prices if customer not logged in *}then find at the end of the file Code: {/foreach} </table> {/if}and before add Code: {* added by CFL Systems to hide prices if customer not logged in *} {if} {* added by CFL Systems to hide prices if customer not logged in *} form2.php Code: [Select] <?php session_start(); if (empty($_SESSION['is_logged_in'])) { header("Location:chatframe.php"); die(); // just to make sure no scripts execute } ?> <?php mysql_connect("localhost","root") or die(mysql_error()); mysql_select_db("cute") or die(mysql_error()); $message=$_POST['message']; $a=$_SESSION['username']; if(isset($_POST['submit'])) //if submit button push has been detected { if(strlen($message)>1) { $message=strip_tags($message); $IP=$_SERVER["REMOTE_ADDR"]; //grabs poster's IP $checkforbanned="SELECT IP from ipbans where IP='$IP'"; $checkforbanned2=mysql_query($checkforbanned) or die("Could not check for banned IPS"); if(mysql_num_rows($checkforbanned2)>0) //IP is in the banned list { print "You IP is banned from posting."; } else { $thedate = date("U"); //grab date and time of the post $insertmessage="INSERT into chatmessages (name,IP,postime,message) values('$a','$IP','$thedate','$message')"; mysql_query($insertmessage) or die("Could not insert message"); } $a="window.location.replace('chatlog2.php')",2000); echo "<html> <head> <script> setTimeout($a); var objDiv = document.body; objDiv.scrollTop = objDiv.scrollHeight; </script> </head> </html>"; } } ?> <html> <head> <script type="text/javascript"> function addsmiley(code) { var pretext = document.smile.message.value; this.code = code; document.smile.message.value = pretext + code; } function a() { var x = document.smile.message.value; if(x=="") { alert("Please insert an message!"); return false; } } </script> <style type="text/css"> body{ background-color: #d8da3d } </style> </head> <body> <center> <form name="smile" method="post" action="form2.php" onSubmit="return a()" > Your message:                          <a style="text-decoration:none" <a href="javascript: void(0)" onclick="window.open('banip.php', 'windowname2', 'width=400, \ height=150, \ directories=no, \ location=no, \ menubar=no, \ resizable=no, \ scrollbars=1, \ status=no, \ toolbar=no'); return false;">Action</a>            <a style="text-decoration:none" href="logout.php">Sign Out</a><br><textarea name='message' cols='40' rows='2'></textarea><br> <img src="smile.gif" alt=":)" onClick="addsmiley(':)')" style="cursor:pointer;border:0" /> <img src="blush.gif" alt=":)" onClick="addsmiley('*blush*')" style="cursor:pointer;border:0" />                                                             <input type='submit' name='submit' value='Send' class='biasa' ></form> <br> <br> </center> </body> </html> which is wrong and can you please modified it ? This topic has been realloc()d to PHP Freelancing. http://www.phpfreaks.com/forums/index.php?topic=345803.0 Hello All, Wondering if someone can help. I have a piece of code which I use on all data I post to my database which uses mysql_real_escape_string on all my forms for security purposes that I found on t'internet: if(!get_magic_quotes_gpc()){ $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_REQUEST = array_map('mysql_real_escape_string', $_REQUEST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } However, ever since i've installed this i'm having problems with other elements, such as deleting records from a MYSQL database like so: <?php $msg = ""; if(isset($_POST['Submit'])){ $total = $_POST['total']; $news_ids = $_POST['nws_id']; foreach($news_ids as $id){ mysql_query("DELETE FROM news WHERE news_id='$id'"); } $msg = count($news_ids) . " News Item(s) deleted!"; } $result = mysql_query("SELECT *, DATE_FORMAT(published, '%d-%m-%Y') as formatted_date from news order by news_id desc;"); $num = mysql_num_rows($result); $n = 0; ?> Yet if I delete the piece of code above code it works fine, but I don't understand why the above code effects this? Anyone plese help me understand? Thanks I just red few tutorials about mysql_real_escape_string. Could someone check if this is correct? <?php $conn = mysql_connect("localhost","myusername","thepassword1"); mysql_select_db("mydataB", $db); $result = mysql_query("SELECT * FROM applicant WHERE username = '$username'"); if (mysql_num_rows ($result) > 0){ $register = "&err=Not Available."; echo($register); } else { $username = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $name = mysql_real_escape_string($_POST['name'], $db); $email = mysql_real_escape_string($_POST['email'], $db); $id = mysql_real_escape_string($_POST['id'], $db); mysql_query("INSERT INTO applicant (username, password, name, email, id) VALUES ('$username', '$password', '$name', '$email', '$id')"); $register = "Successful."; echo($register); } ?> Hi, just wondering do i need to use mysql_real_escape_string() on login information (username and password). I use it as shown below but get an error when connecting. Code: [Select] if(isset($_POST['submit'])){ if( empty($_POST['uname']) && (empty($_POST['upass']))){ header( "Location:Messages.php?msg=1" ); exit(); } $n=mysql_real_escape_string($_POST['uname']); $p=mysql_real_escape_string($_POST['upass']); include('config.php'); $query="select * from country where uname='$n' and pw='$p'"; $result=mysql_query($query); Good morning,
I am trying to implement a simple sanitization of data before inserting in my database and am having a little trouble due to the fact that I am using a third party script that is accessing posted variables in a way that is unfamiliar to me... here's the data. The problem area is red. The form simply hangs up when submitted. I have used this method in the past, but not with an object operator.
// insert into database Hello and thanks in advance for the input. I a fully functioning form. I am validating the input and successfully inserting the input into the mysql database. Now I am trying to escape the data by adding the basic line of code: $name = mysql_real_escape_string($_POST['name']); The input is successful but the mysql_database for name field is empty. If I remove the above line of code and just input the value for $name (without escape) the update works great. So the question is obvious for the above. Why? This code gives an error. Please help fix. $mydb = mysql_connect("localhost","my_un","my_pw"); mysql_select_db("my_db"); $query =sprintf("SELECT * FROM idb1 WHERE username = '%s' AND authority = 'Banned'", mysql_real_escape_string($userNm)); if(mysql_num_rows($query)) { $login = "&err=Not allowed."; echo($login); } else { $result=sprintf("SELECT * FROM idb1 WHERE username = '%s' AND password ='%s'", mysql_real_escape_string($userNm), mysql_real_escape_string($passWd)); if(mysql_num_rows ($result) == 0) { $login = "&err=Retry!!"; echo($login); } else { $row = mysql_fetch_array($result); $userNm=$row['username']; $passWd=$row['password']; $login = "$userNm=" . $userNm . "$passWd=" . $passWd . "&err=Successful."; echo($login); } } Code: [Select] $update = "UPDATE model SET name = '$name', age = '$age', height = '" . mysql_real_escape_string($height) . "', hair = '$hair', bust = '$bust', waist = '$waist', hips = '$hips' ......... WHERE id = '$id' "; $rsUpdate = mysql_query($update); After reading the manual at php.net on this function, I should be inserting the mysql_real_escape_string for each variable, correct? Right now I just have it for $height. The reason I'm asking is because I have 28 columns in this table and want to make sure I'm using this function properly as it seems like a tedious process and messy code. hey guys, just wondering, is it advisable to use mysql_real_escape_string() with <select> boxes, i know the web designer will always set the values for options within select boxes, therefore there shouldn't be any danger, but then i found such js code as: Code: [Select] javascript:document.body.contentEditable='true'; document.designMode='on'; void 0 (this allows the user of any site to edit content on the users end) so with something like the above, is it at all possible for a user to alter the option values within a select box and successfully submit the altered form? thanks Is it correct to use mysql_real_escape_string() function on every query that i wonna insert or search ? I have fields like TEXT(dectription of article), VARCHAR(name of article) and more like that, and is there correct to use mysql_real_escape_string for all fields when query is INSERT ? I have a form that allows users to submit to a database and for security reasons I am using mysql_real_scape_string on all of their input values. However this means that if the user puts something in speech marks such as "hello" It will then show up in the database as \"hello\" This means that whenever I fetch anything from the database it will have slashes in which doesn't look good. How do other people get round this problem. When I fetch something from my database should I do a string replace and just delete these slashes or is there a better method? Thanks for any help. What is wrong with the injection preventer (array function) seen below:
//injection prevention if (isset($_GET)){ if (!is_array($_POST)){ foreach( $_POST as $key => $value){ $_POST["$key"]=mysql_real_escape_string($value) ; } } else {//here while (is_array($key)){ foreach( $_POST as $key => $value){ $_POST["$key"]=mysql_real_escape_string($value) ; echo $key; } } } Never had this one before. Here's a string from a URL: $urltext = Product_Name_'with_single_quotes'_"_B Code: [Select] $name = str_replace( "_", " ", $urltext ); echo 'raw: ' . $name . "<br>"; $name = mysql_real_escape_string( $name ); echo 'mysql_real_escaped: ' . $name . '<br>'; Doesn't seem possible, but both of the "echos" return the same string. My query fails because there are no backslashes in the SQL statement. What's going on here? raw: Product Name 'with single quotes' " B mysql_real_escaped: Product Name 'with single quotes' " B |