mysql_real_escape_string stopped working when I moved my code to another server
https://stackoverflow.com/questions/8808588
-
26-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
The following code works perfectly fine in my local xampp installation (Windows 7), but when I ported it over to a Win2K8 R2 server, the mysql_real_escape_string piece does not work. When I comment it out, it works fine. I am pretty sure this has something to do with the php.ini file but cannot pinpoint what it is. Perhaps my code should have been written differently to begin with.
function add_asset($asset_type_ID, $org_ID, $asset_desc, $asset_cost, $asset_value, $purchase_date) {
global $db;
$asset_desc = mysql_real_escape_string($asset_desc);
$query = "INSERT INTO assets
(asset_ID, asset_type_ID, org_ID, asset_desc, asset_cost, asset_value, purchase_date)
VALUES
(DEFAULT, '$asset_type_ID', '$org_ID', '$asset_desc', '$asset_cost', '$asset_value', '$purchase_date')";
$add_asset = $db->exec($query);
$last_asset_ID = $db->lastInsertId();
return $last_asset_ID;
Specifically, when the record gets entered into mysql, the asset_desc field is blank.
Thank you!
UPDATE: After looking through the PHP error log, I found the following:
[function.mysql-real-escape-string]: Access denied for user ''@'localhost' (using password: NO)
Solution
Looks like whatever credentials you are using to connect to the database on your dev system are failing on your server.
mysql_real_escape_string() requires an active MySQL connection in order for it to work correctly; if you aren't connected to the database, it will fail.
Check wherever in your code you are calling
mysql_connect(); from the error message, it seems like your dev system is relying on the runtime default values for the Mysql extension.Alternatively, the connection resource might not be accessible to
mysql_real_escape_string()on the server's system. From the documentation formysql_real_escape_string()(emphasis mine):link_identifier
The MySQL connection. If the link identifier is not specified, the last link opened by
mysql_connect()is assumed. If no such link is found, it will try to create one as ifmysql_connect()was called with no arguments. If no connection is found or established, an E_WARNING level error is generated.Perhaps it's possible that your dev server is configured such that calling
mysql_connect()with no arguments does establish a connection to the MySQL database server. The most likely reasons for this are either dev MySQL server allows anonymous connections, or php.ini specifies valid default credentials.However, this fails on production, most likely because the production MySQL server does not allow anonymous connections, and no default credentials are specified in php.ini.
Check over your code for situations where it is possible to arrive at the call to
mysql_real_escape_string()withoutmysql_connect()getting called first (note that establishing a connection with PDO doesn't count in this case).Since you're using PDO, consider switching to prepared statements, which will eliminate the need for
mysql_real_escape_string()entirely.
OTHER TIPS
You're probably thinking of "magic quotes"
This function has been deprecated in php 5.3 http://php.net/manual/en/function.mysql-escape-string.php
You will have to rewrite your code, ideally use PDO from now on and use prepared statements.
Quick Answer:
Connect to database first
Then use the mysql_real_escape_string.
Not the other way around......
