mysql_real_escape_string() [function.mysql-real-escape-string] is preventing server connection

Question

Can someone explain why am getting this error when am setting up a new website? and how to solve it

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/sitename/public_html/cms/cms/admin/report.php on line 8

Now contents of line 8:

$report = mysql_real_escape_string( $report );

EDIT

<?php

require_once('auth.php'); require('core/plugin.php');
// session details  are here 
require('core/connection.php');
if($session_id == $session_id){
    $report = $_POST['reportmsg'];
    $report = strip_tags( $report );
    $report = mysql_real_escape_string( $report );
    $report = trim( $report );
    if($report == ""){
        die("textarea void");
        exit();
    } elseif($report == $report) {
        $sql="INSERT INTO report (site_id, date, time, ticket_id, bug)
        VALUES
        ( 
            '$session_id',
            '$date',
            '$time',
            '$ticket_id',
            '$report'
        )";
        if (!mysqli_query($con,$sql)) {
            die("Failed  to connect");
            exit();
        }
        echo ("<font style='font-family:Tahoma;'>ticket sent</font>");
        exit();
    }
}
?>

Answer 1

You haven't established a connection to your database

This function takes into account the character set on the database you're using (documentation), so it needs a connection to a database in order to work. Run this before any escape strings:

mysql_connect('server','username','password');

Or alternatively, consider not using mysql_* because it's deprecated, may fall out of maintenance and may be removed from a future version of PHP. You may be better off using mysqli or PDO.

Edit: Looks like you may already be using mysqli

Since you added your code, I noticed that your query is called with mysqli_query. You are probably connected to your database using mysqli, in which case, change the following line:

mysql_real_escape_string($report);

To this line:

mysqli_real_escape_string($con,$report);

These are two different APIs and don't share connection objects, so your mysql_* function cannot use your mysqli_* connection.

Having said that, you may be better off using prepared statements...

Lines and lines of escaping can make your queries safe, but they're expensive and introduce boilerplate into your code.

As others have suggested, you may wish to look into prepared statements instead:

$stmt = mysqli_prepare($con, "INSERT INTO `report` (site_id, date, time, ticket_id, bug) VALUES (?,?,?,?,?)");
mysqli_stmt_bind_param($stmt, "issis", $session_id, $date, $time, $ticket_id, $report);
mysqli_stmt_execute($stmt);

On a side note, re: die() and exit()

You use this a few times in your code:

die("textarea void");
exit();

These two functions are aliases (die() and exit() do exactly the same thing), and your code never reaches exit(). You can drop the exit(); statements where they occur after die();

Answer 2

According to the documentation http://www.php.net/manual/en/function.mysql-real-escape-string.php

A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used.

therefore, I bet that you're not connected to your database.

Answer 3

Do not use this function at all. At least directly in the application code. Prepared statements ought to be used instead. This is the only proper solution.

As to why you are getting this error, a manual page usually have an explanation for the every error you get with particular function.