views:

34

answers:

3

I revieving the following error when trying use mysql_real_escape() function

Fatal error: Call to undefined function mysql_real_escape() in /var/www/registration/index.php on line 169.

What is wrong???

$result = mysql_send("INSERT customers  SET
                                user= $username, 
                                pword= $pass1, 
                 //line169      firstname='".mysql_real_escape($firstname)."', 
                                lastname='".mysql_real_escape($lastname)."', 
                                email='".mysql_real_escape($email)."', 
                                active='No', 
                                activecode= $activecode, 
                                dateofbirth='".mysql_real_escape($dateofbirth)."', 
                                gender='".mysql_real_escape($gender)."', 
                                title='".mysql_real_escape($title)."', 
                                occupation='".mysql_real_escape($occupation)."', 
                                address='".mysql_real_escape($address)."', 
                                city='".mysql_real_escape($city)."', 
                                country='".mysql_real_escape($country)."', 
                                zip='".mysql_real_escape($zip)."', 
                                mobile='".mysql_real_escape($mobile)."', 
                                telephone='".mysql_real_escape($telephone)."', 
                                fax='".mysql_real_escape($fax)."', 

                                website='".mysql_real_escape($website)."'
                    ");
+3  A: 

Not mysql_real_escape() but mysql_real_escape_string()

VolkerK
+1  A: 

I believe the function you're looking for mysql_real_escape_string

That said, check into PDO or mysqli and bound parameters, this is a better longer term solution.

MightyE
A: 

you have defined the wrong syntax..the correct syntax is mysql_real_escape_string..

replace your code with this..

$result = mysql_send("INSERT customers  SET
                                user= $username, 
                                pword= $pass1, 
                 //line169      firstname='".mysql_real_escape_string($firstname)."', 
                                lastname='".mysql_real_escape_string($lastname)."', 
                                email='".mysql_real_escape_string($email)."', 
                                active='No', 
                                activecode= $activecode, 
                                dateofbirth='".mysql_real_escape_string($dateofbirth)."', 
                                gender='".mysql_real_escape_string($gender)."', 
                                title='".mysql_real_escape_string($title)."', 
                                occupation='".mysql_real_escape_string($occupation)."', 
                                address='".mysql_real_escape_string($address)."', 
                                city='".mysql_real_escape_string($city)."', 
                                country='".mysql_real_escape_string($country)."', 
                                zip='".mysql_real_escape_string($zip)."', 
                                mobile='".mysql_real_escape_string($mobile)."', 
                                telephone='".mysql_real_escape_string($telephone)."', 
                                fax='".mysql_real_escape_string($fax)."', 

                                website='".mysql_real_escape_string($website)."'
                    ");

Edit : It is best to use the function outside the query instead of querying consider to use it like

//i am assuming you are fetching the values from form

    $username = htmlspecialchars(strip_tags(mysql_real_escape_string($_POST['username'])));
$password = htmlspecialchars(strip_tags(mysql_real_escape_string($_POST['password'])));

and so on, it will force the rules upon the user to avoid unwanted tags and spaces etc.

and when you have the actual value in the variable query it directly using the variable name.

Ibrahim Azhar Armar