ansaurus

Question

Answer 1

A:

mysql_real_escape_string should have a database connection passed as the second argument since it asks the database what characters need to be escaped.

$connection = mysql_connect(HOST, USERNAME, PASSWORD);
$cleanstring = mysql_real_escape_string("my string", $connection);

akellehe 2010-08-30 16:23:41

Not if you already have a connection open

blockhead 2010-08-30 16:24:47

@blockhead, I was about to say that. You may be confused with mysqli_real_escape_string, which needs its first argument to be a link to the database.

Lekensteyn 2010-08-30 16:26:00

In some cases it gets confused (like if you have more than one connection open), I've had this problem a number of times. I always pass a connection to ensure the string isn't truncated/erased.

akellehe 2010-08-30 16:26:57

Hello MySQLi, it's nice of you for carrying the database connection with you the whole time (OO style)

Lekensteyn 2010-08-30 16:30:12

Answer 2

A:

A typical failure on understanding how to use certain functions... You're just using mysql_real_escape_string on raw input data. Have you ever heard of santizing / validating input? mysql_real_escape_string does not make sense on numbers. If you've validated a variable to be a number, you don't need to escape it.

mysql_send is an alias for mysql_query right? Use debug code, add echo mysql_error(); after mysql_send(...).

Lekensteyn 2010-08-30 16:24:49

Answer 3

+1 A:

It should be easy to figure out what's going on.

Fist, instead of sending the query you're constructing to the database, echo it out (or log it), and see what you're actually sending to the database.

If that doesn't make it obvious, see what mysql_error() has to say.

timdev 2010-08-30 16:25:48

Answer 4

+2 A:

what is that mysql_send function?
what if to change it to mysql_query();

Col. Shrapnel 2010-08-30 16:34:58

OP said it was working until he started using mysql_real_escape_string. He didn't say he was changed that line of code.

blockhead 2010-08-30 16:47:33

Answer 5

A:

       mysql_connect("localhost", "username", "password") or die(mysql_error());
       mysql_select_db("database") or die(mysql_error());
       $name = mysql_real_escape_string($_POST['name']);
       $description = mysql_real_escape_string($_POST['description']);   
       $custid = mysql_real_escape_string($_SESSION['customerid']);

       //If you doing Update use this code
       mysql_query("UPDATE list SET id = '', name = '$name', description = '$description' WHERE custid = '$custid' ") or die(mysql_error());
       //OR if you doing Insert use this  code.
       mysql_query("INSERT INTO list(name, description, custid) VALUES('$name', '$description', '$custid')") or die(mysql_error());
       //If custid is Integer type user $custid instead of '$custid'.

If you are updating the records in the list table based on the custid use the UPDATE command OR if you are insertinf the records into list table use INSERT command.

KMK 2010-08-30 19:16:33

ansaurus

tags:

views:

answers:

PHP form will not post.

related questions