Can't use mysql_real_escape_string

Question

So, I'm getting this warning when using mysql_real_escape_string

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'username'@'localhost' (using password: NO) in /home/path/php/functions.php on line 11

The rest of the site works fine, connects to the DB and all, but I get an error when using this function.

It works completely fine on my localhost testing server.

Any ideas?

I use aforementioned function in my own homebrew string sanitation function:

function sani($string){     
  $string = strip_tags($string); 
  $string = htmlspecialchars($string); 
  $string = trim(rtrim(ltrim($string))); 
  $string = mysql_real_escape_string($string);
  return $string;
}

And I use this function every time I do queries...

function mm_mysqlquery($query) {
 if (MM_DEBUG == true) { echo "Query: $query <br>"; mm_log("Query: $query"); } //print query if MM_DEBUG
 $link = mysql_connect(DB_HOST, DB_USER, DB_PASS) or die ("mysql_error: " . mysql_error());
 $db_selected = mysql_select_db(DB_NAME);
 return mysql_query($query, $link);
}

Thanks on beforehand!

Answer 1

Are you sure you have a connection open when you call the function? If yes, I don't know the cause of the warning, but you can use addslashes() instead. It does the same thing without an extra DB call.

Answer 2

First point: If you're getting an error from mysql_real_escape_string(), it's because you are calling the function before you're connected to the database.

It looks like you connect to the database right before you run a query. So anything you do before you call your mm_mysqlquery() function won't have a connection.

The mysql_real_escape_string() function needs a live connection to the database, so it can do the right kind of escaping with respect to the connection's character set. So you need to connect before you do escaping.

It's better to do that anyway, because if you make several queries during the course of a single PHP request, it's less overhead to connect once and use the same connection for all your queries.

Second, please don't take suggestions to use addslashes() -- it does not do the same thing as mysql_real_escape_string(). The two are not interchangeable. You should get into the habit of using mysql_real_escape_string().

Third, your sani() function shows a common misconception.

function sani($string){     
  $string = strip_tags($string); 
  $string = htmlspecialchars($string); 
  $string = trim(rtrim(ltrim($string))); 
  $string = mysql_real_escape_string($string);
  return $string;
}

The common misconception is that you need all these functions to make a string safe in an SQL statement. You don't. Only mysql_real_escape_string() is necessary. All the other functions in this example do nothing to protect against SQL injection.

Those functions are useful if you output a string in an HTML presentation and you want to reduce the risk of XSS attacks, but then mysql_real_escape_string() is irrelevant.

Use each type of sanitizing method in its appropriate context.

Answer 3

string mysql_real_escape_string ( string $unescaped_string [, resource $link_identifier ] )

Where $unescaped_string is your string and $link_identifier is your db resource.

The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If no connection is found or established, an E_WARNING level error is generated.

PHP.NET mysql_real_escape_string resource