|
PHP - Warning: Mysql_real_escape_string()
Similar TutorialsHi guys, I am having a problem of deleting the rows in the database. I just receive two warnings of mysql_real_escape_string which they a Code: [Select] Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'myusername'@'localhost' (using password: NO) in /home/username/public_html/mysite.com/delete.php on line 11 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/username/public_html/mysite.com/delete.php on line 11 failed The error are jumping on this line: Code: [Select] return mysql_real_escape_string($value); Here it the full code: <?php session_start(); define('DB_HOST', 'localhost'); define('DB_USER', 'username'); define('DB_PASSWORD', 'password'); define('DB_DATABASE', 'databasename'); function clean($value) { return mysql_real_escape_string($value); } $id = clean($_GET['id']); if ($id != NULL) { $query = @mysql_db_query(_DB,"DELETE FROM table1 WHERE $id = 'id"); $deleted = @mysql_affected_rows(); if($deleted > 0) { echo("worked"); } else { echo("failed"); } }else{ echo("failed"); } @mysql_close($link); ?> I have input the correct password, so what's wrong?? Hi Everyone I am having a few issues with my website. I have developed in on my xampp local host and it works ok but when I upload the files and try to renew a membership using stripe I get the following messages. Warning: session_start(): Cannot start session when headers already sent in /customers/a/d/f/mywebsite.co.uk/httpd.www/mywebsite/inc/settings.php on line 2 Warning: Cannot modify header information - headers already sent by (output started at /customers/a/d/f/mywebsite.co.uk/httpd.www/mywebsite/procedures/payments/charge.php:1) in /customers/a/d/f/mywebsite.co.uk/httpd.www/mywebsite/procedures/payments/charge.php on line 141 I have some includes that appear on every page. This is the bootstrap.php file. This file holds the settings.php which connects to my database and other function files. In this settings page I call the session_start() php function and then connect to my database. I call the bootstrap.php file on every page to there for call the session_start() on every page. I am using sessions alot so is this the right thing to do? I have attached the renew_membership payment page which holds the form. The user fills out the payment page and the form data gets sent to a script called charge.php which uses the stripe objects to make the payment. I then want to do a redirect to the paymentSuccess.php page to output to the user that the payment was made successfully. This is where the issues arrise. I have split the charge file into 3 screen shots so it is more readable. Hope someone can help me. Thanks a lot David
Edited April 26 by Irish_Dave
<?php
if(isset($_POST['submit'])){
$name = $_POST['name'];
}
?>
<form method="POST" action="hist1.php">
<br />
<input type="hidden" name="name" value="<?php echo $name ?>" />
<?php
$q = mysql_query("SELECT * FROM histact1 ORDER BY RAND() LIMIT 1");
while ($r1 = mysql_fetch_array($q)){
$id = $r1[0];
$question1 = $r1[1];
$opt1 = $r1[3];
$opt2 = $r1[4];
$opt3 = $r1[5];
?>
<div class="Qset" id="q1"><br /><br />
<label class="items">1st Question :</label> <br />
<center>
<textarea class="textareaQ" name="question1" readonly><?php echo $question1; ?></textarea>
</center>
<br /><br />
<p class="marA">
<input type="radio" name="rad1" value="<?php echo $opt1; ?>" />
<label class="lbl"><?php echo $opt1 ?></label><br />
<input type="radio" name="rad1" value="<?php echo $opt2; ?>" />
<label class="lbl"><?php echo $opt2 ?></label><br />
<input type="radio" name="rad1" value="<?php echo $opt3; ?>" />
<label class="lbl"><?php echo $opt3 ?></label><br />
</p>
</div>
<div class="lr">
<center>
<br /><br /><br /><br />
<a class="nxt" href="#q2"><label title="Proceed to 2nd Question">Next</label></a>
</center>
</div>
<br /><br /><br />
<center><hr width="90%" /></center><br />
<?php } ?>
<br /><br />
<?php
$q = mysql_query("SELECT * FROM histact1 ORDER BY RAND() LIMIT 1");
while ($r1 = mysql_fetch_array($q)){
$id = $r1[0];
$question2 = $r1[1];
$opt1 = $r1[3];
$opt2 = $r1[4];
$opt3 = $r1[5];
?>
<div class="Qset" id="q2"><br /><br />
<label class="items">2nd Question :</label> <br />
<center>
<textarea class="textareaQ" name="q2" readonly><?php echo $question2; ?></textarea>
</center>
<br /><br />
<p class="marA">
<input type="radio" name="rad2" value="<?php echo $opt1; ?>" />
<label class="lbl"><?php echo $opt1 ?></label><br />
<input type="radio" name="rad2" value="<?php echo $opt2; ?>" />
<label class="lbl"><?php echo $opt2 ?></label><br />
<input type="radio" name="rad2" value="<?php echo $opt3; ?>" />
<label class="lbl"><?php echo $opt3 ?></label><br />
</p>
</div>
<div class="lr">
<center>
<br /><br /><br /><br />
<a class="nxt" href="#q1"><label title="Proceed to 1st Question">Back</label></a> |
<a class="nxt" href="#q3"><label title="Proceed to 3rd Question">Next</label></a>
</center>
</div>
<br /><br /><br />
<center><hr width="90%" /></center><br />
<?php } ?>
<br /><br />
<?php
$q = mysql_query("SELECT * FROM histact1 ORDER BY RAND() LIMIT 1");
while ($r1 = mysql_fetch_array($q)){
$id = $r1[0];
$question3 = $r1[1];
$opt1 = $r1[3];
$opt2 = $r1[4];
$opt3 = $r1[5];
?>
<div class="Qset" id="q3"><br /><br />
<label class="items">3rd Question :</label> <br />
<center>
<textarea class="textareaQ" name="q3" readonly><?php echo $question3; ?></textarea>
</center>
<br /><br />
<p class="marA">
<input type="radio" name="rad3" value="<?php echo $opt1; ?>" />
<label class="lbl"><?php echo $opt1 ?></label><br />
<input type="radio" name="rad3" value="<?php echo $opt2; ?>" />
<label class="lbl"><?php echo $opt2 ?></label><br />
<input type="radio" name="rad3" value="<?php echo $opt3; ?>" />
<label class="lbl"><?php echo $opt3 ?></label><br />
</p>
</div>
<div class="lr">
<center>
<br /><br /><br /><br />
<a class="nxt" href="#q2"><label title="Proceed to 2nd Question">Back</label></a> |
<a class="nxt" href="#q4"><label title="Proceed to 4th Question">Next</label></a>
</center>
</div>
<br /><br /><br />
<center><hr width="90%" /></center><br />
<?php } ?>
<br /><br />
<?php
$q = mysql_query("SELECT * FROM histact1 ORDER BY RAND() LIMIT 1");
while ($r1 = mysql_fetch_array($q)){
$id = $r1[0];
$question4 = $r1[1];
$opt1 = $r1[3];
$opt2 = $r1[4];
$opt3 = $r1[5];
?>
<div class="Qset" id="q4"><br /><br />
<label class="items">4th Question :</label> <br />
<center>
<textarea class="textareaQ" name="q4" readonly><?php echo $question4; ?></textarea>
</center>
<br /><br />
<p class="marA">
<input type="radio" name="rad4" value="<?php echo $opt1; ?>" />
<label class="lbl"><?php echo $opt1 ?></label><br />
<input type="radio" name="rad4" value="<?php echo $opt2; ?>" />
<label class="lbl"><?php echo $opt2 ?></label><br />
<input type="radio" name="rad4" value="<?php echo $opt3; ?>" />
<label class="lbl"><?php echo $opt3 ?></label><br />
</p>
</div>
<div class="lr">
<center>
<br /><br /><br /><br />
<a class="nxt" href="#q3"><label title="Proceed to 3rd Question">Back</label></a> |
<a class="nxt" href="#q5"><label title="Proceed to 5th Question">Next</label></a>
</center>
</div>
<br /><br /><br />
<center><hr width="90%" /></center><br />
<?php } ?>
<br /><br />
<?php
$q = mysql_query("SELECT * FROM histact1 WHERE question != '$question1' AND question != '$question2' AND question != '$question3' AND question != '$question4' ORDER BY RAND() LIMIT 1");
while ($r1 = mysql_fetch_array($q)){
$id = $r1[0];
$question5 = $r1[1];
$opt1 = $r1[3];
$opt2 = $r1[4];
$opt3 = $r1[5];
?>
<div class="Qset" id="q5"><br /><br />
<label class="items">5th Question :</label> <br />
<center>
<textarea class="textareaQ" name="q5" readonly><?php echo $question5; ?></textarea>
</center>
<br /><br />
<p class="marA">
<input type="radio" name="rad5" value="<?php echo $opt1; ?>" />
<label class="lbl"><?php echo $opt1 ?></label><br />
<input type="radio" name="rad5" value="<?php echo $opt2; ?>" />
<label class="lbl"><?php echo $opt2 ?></label><br />
<input type="radio" name="rad5" value="<?php echo $opt3; ?>" />
<label class="lbl"><?php echo $opt3 ?></label><br />
</p>
</div>
<div class="lr">
<center>
<br /><br /><br /><br />
<a class="nxt" href="#q4"><label title="Proceed to 4th Question">Back</label></a> |
<input type="submit" title="Submit Answers" name="submit" class="submit" value=" Submit " onclick="return confirm('Are you sure you want to submit your answers?\nYou can review your answer by click the Back link')" />
</center>
</div>
<br /><br /><br />
<center><hr width="90%" /></center><br />
<?php } ?>
</form>
Edited by mac_gyver, 09 October 2014 - 10:51 AM. code in code tags please I am running to an issue that I have never delt with before and am not sure if there is even a possible solution: I have two files: fileA and fileB fileA contains a loop that loops 30 times each time its called. in the loop there is a 2second delay $i = 1; do { $i++; sleep(2); if(!isset($_SESSION['user']) { break; } } while($i < 31); if fileB i have a simple destroy session $_SESSION = array(); session_destroy(); I call both files via ajax, and that is where i run into my problem. if I call fileA first, then call fileB through ajax, the code in FileB does not execute until fileA has run its course. Is it possible to get around this? Like set the priority of one over the other? This code gives an error. Please help fix. $mydb = mysql_connect("localhost","my_un","my_pw"); mysql_select_db("my_db"); $query =sprintf("SELECT * FROM idb1 WHERE username = '%s' AND authority = 'Banned'", mysql_real_escape_string($userNm)); if(mysql_num_rows($query)) { $login = "&err=Not allowed."; echo($login); } else { $result=sprintf("SELECT * FROM idb1 WHERE username = '%s' AND password ='%s'", mysql_real_escape_string($userNm), mysql_real_escape_string($passWd)); if(mysql_num_rows ($result) == 0) { $login = "&err=Retry!!"; echo($login); } else { $row = mysql_fetch_array($result); $userNm=$row['username']; $passWd=$row['password']; $login = "$userNm=" . $userNm . "$passWd=" . $passWd . "&err=Successful."; echo($login); } } hey guys, just wondering, is it advisable to use mysql_real_escape_string() with <select> boxes, i know the web designer will always set the values for options within select boxes, therefore there shouldn't be any danger, but then i found such js code as: Code: [Select] javascript:document.body.contentEditable='true'; document.designMode='on'; void 0 (this allows the user of any site to edit content on the users end) so with something like the above, is it at all possible for a user to alter the option values within a select box and successfully submit the altered form? thanks Hello All, Wondering if someone can help. I have a piece of code which I use on all data I post to my database which uses mysql_real_escape_string on all my forms for security purposes that I found on t'internet: if(!get_magic_quotes_gpc()){ $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_REQUEST = array_map('mysql_real_escape_string', $_REQUEST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } However, ever since i've installed this i'm having problems with other elements, such as deleting records from a MYSQL database like so: <?php $msg = ""; if(isset($_POST['Submit'])){ $total = $_POST['total']; $news_ids = $_POST['nws_id']; foreach($news_ids as $id){ mysql_query("DELETE FROM news WHERE news_id='$id'"); } $msg = count($news_ids) . " News Item(s) deleted!"; } $result = mysql_query("SELECT *, DATE_FORMAT(published, '%d-%m-%Y') as formatted_date from news order by news_id desc;"); $num = mysql_num_rows($result); $n = 0; ?> Yet if I delete the piece of code above code it works fine, but I don't understand why the above code effects this? Anyone plese help me understand? Thanks I have a form that allows users to submit to a database and for security reasons I am using mysql_real_scape_string on all of their input values. However this means that if the user puts something in speech marks such as "hello" It will then show up in the database as \"hello\" This means that whenever I fetch anything from the database it will have slashes in which doesn't look good. How do other people get round this problem. When I fetch something from my database should I do a string replace and just delete these slashes or is there a better method? Thanks for any help. I just red few tutorials about mysql_real_escape_string. Could someone check if this is correct? <?php $conn = mysql_connect("localhost","myusername","thepassword1"); mysql_select_db("mydataB", $db); $result = mysql_query("SELECT * FROM applicant WHERE username = '$username'"); if (mysql_num_rows ($result) > 0){ $register = "&err=Not Available."; echo($register); } else { $username = mysql_real_escape_string($_POST['username'], $db); $password = mysql_real_escape_string($_POST['password'], $db); $name = mysql_real_escape_string($_POST['name'], $db); $email = mysql_real_escape_string($_POST['email'], $db); $id = mysql_real_escape_string($_POST['id'], $db); mysql_query("INSERT INTO applicant (username, password, name, email, id) VALUES ('$username', '$password', '$name', '$email', '$id')"); $register = "Successful."; echo($register); } ?> Is it correct to use mysql_real_escape_string() function on every query that i wonna insert or search ? I have fields like TEXT(dectription of article), VARCHAR(name of article) and more like that, and is there correct to use mysql_real_escape_string for all fields when query is INSERT ? Hi, just wondering do i need to use mysql_real_escape_string() on login information (username and password). I use it as shown below but get an error when connecting. Code: [Select] if(isset($_POST['submit'])){ if( empty($_POST['uname']) && (empty($_POST['upass']))){ header( "Location:Messages.php?msg=1" ); exit(); } $n=mysql_real_escape_string($_POST['uname']); $p=mysql_real_escape_string($_POST['upass']); include('config.php'); $query="select * from country where uname='$n' and pw='$p'"; $result=mysql_query($query); Code: [Select] $update = "UPDATE model SET name = '$name', age = '$age', height = '" . mysql_real_escape_string($height) . "', hair = '$hair', bust = '$bust', waist = '$waist', hips = '$hips' ......... WHERE id = '$id' "; $rsUpdate = mysql_query($update); After reading the manual at php.net on this function, I should be inserting the mysql_real_escape_string for each variable, correct? Right now I just have it for $height. The reason I'm asking is because I have 28 columns in this table and want to make sure I'm using this function properly as it seems like a tedious process and messy code. Hello and thanks in advance for the input. I a fully functioning form. I am validating the input and successfully inserting the input into the mysql database. Now I am trying to escape the data by adding the basic line of code: $name = mysql_real_escape_string($_POST['name']); The input is successful but the mysql_database for name field is empty. If I remove the above line of code and just input the value for $name (without escape) the update works great. So the question is obvious for the above. Why? Good morning,
I am trying to implement a simple sanitization of data before inserting in my database and am having a little trouble due to the fact that I am using a third party script that is accessing posted variables in a way that is unfamiliar to me... here's the data. The problem area is red. The form simply hangs up when submitted. I have used this method in the past, but not with an object operator.
// insert into database If i use mysql_real_escape_string() whilst inserting data...and that data contained 'common sql injection chars' - im guessing it would escape/backslash them? So say if I now wanted to select/extract that data from the DB, would the data contain the slashes or would the slashes be automatically removed/stripped? Hi all, I use mysql_real_escape_string on user inputs before using them in a MySQL query. However, some of my queries use arrays or imploded arrays, for example a query of the form: SELECT .. FROM .. WHERE .. IN .. It seems like in these cases I can't use mysql_real_escape_string, am I correct in thinking this? If so, what can I use instead to ensure the best possible security against SQL injections? Thanks! I have an AJAX script which queries a DB when a user inputs a search text. That's great, works well. However, when I use mysql_real_escape_string, it seems to completely rid the '$q'. When I don't use it, it works well but of course, there's the security side of things. Here's the code snippet: <?php error_reporting(E_ALL); $q = $_GET["q"];//added mysql_real_escape_string //$q = mysql_real_escape_string('$_GET["q"]'); $con = mysql_connect("localhost","aaaaa","aaaaa"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("aaaaa", $con); $sql="SELECT * FROM articles WHERE keywords LIKE '%$q%'"; ?> It seems so simple, but its just not working. What could it be? Never had this one before. Here's a string from a URL: $urltext = Product_Name_'with_single_quotes'_"_B Code: [Select] $name = str_replace( "_", " ", $urltext ); echo 'raw: ' . $name . "<br>"; $name = mysql_real_escape_string( $name ); echo 'mysql_real_escaped: ' . $name . '<br>'; Doesn't seem possible, but both of the "echos" return the same string. My query fails because there are no backslashes in the SQL statement. What's going on here? raw: Product Name 'with single quotes' " B mysql_real_escaped: Product Name 'with single quotes' " B the mysql_real_escape_string does not add slashes when it enter my db y Code: [Select] if(isset($_POST['submitbtn'])){ //will open up the db connection require_once"../includes/connect.php"; $errors = ""; $welcometitle = mysql_real_escape_string($_POST['welcometitle']); $welcomesection = mysql_real_escape_string($_POST['welcomesection']); $infotitle = mysql_real_escape_string($_POST['infotitle']); $infosection = mysql_real_escape_string($_POST['infosection']); $videotitle = mysql_real_escape_string($_POST['videotitle']); $videosection = mysql_real_escape_string($_POST['videosection']); if(isset($welcometitle, $welcomesection) && !empty($welcometitle) && !empty($welcomesection)){ if(isset($infotitle, $infosection) && !empty($infotitle) && !empty($infosection)){ if(isset($videotitle, $videosection) && !empty($videotitle) && !empty($videosection)){ //adding them to the db //adding them to the db $query = mysql_query("UPDATE `home` SET `welcometitle`= '$welcometitle', `welcomesection`= '$welcomesection', `infotitle`='$infotitle', `infosection`= '$infosection',`videotitle`= '$videotitle',`videosection`= '$videosection'") or die(mysql_error()); header("location: http://www.website.org/control/edithome"); }else{ $errors = "Please fill in the Video Section"; } }else{ $errors = "Please fill in the Info Section"; } }else{ $errors = "Please fill in the Welcome Section"; } mysql_close();//will close the inlcude db connection } ?> |
|||||||