Why won't mysql_real_escape_string() work?

Question

I'm trying to write someting into the DB using PHP but if I try to use mysql_real_escape_string() I don't get any errors but nothing gets saved into the DB and I don't know why =/ specially because I did the same on another PHP file and it worked perfectly...

<?php
if(isset($_POST['reporte']))
    $falla = $_POST['reporte'];
else      
    $falla = "";

if(!isset($falla)){
    echo '<font color="red">Intentó enviar una forma vacía. Por favor intente de nuevo.</font>';
}else{
$fecha = mysql_real_escape_string(stripslashes($_POST['fecha']));
$usuario = mysql_real_escape_string(stripslashes($_POST['usuario']));

connection...

 $sql = "INSERT INTO $tbl_name(usuario, comentario, fecha, estado) VALUES('$usuario','$falla','$fecha', '0')" or die('mysql_error()');

now I don't check if "fecha" or "usuario" are empty since they are sent via a hidden field in the form.

---

Edit

I did the switch there's still no error and nothing gets into the db =/ I'm looking at the documentation, but I'm puzzled because I've done this before the exact same way and it worked...haha...

---

Edit 2

Yes I have a

mysql_query($sql) or die('Error SQL !'.$sql.'<br>'.mysql_error());

Yes I've set the $tbl_name along with the connection in:

$host="localhost"; 
$username="user"; 
$password="pass"; 
$db_name="cosa"; 
$tbl_name="reportes";

and I've done the check in the database monitor and printed it...it returns OK... however, what do you mean by "sanitizing" $falla? I recognize the injection, but I'm quite new with php per se.

---

Edit 3

I use die just to test, however there are no errors displayed it functions smoothly just won't insert a thing if I use "mysql_real_escape_string()"

---

Edit 4

This is my current code:

<?php
if(isset($_POST['reporte']))
    $falla = $_POST['reporte'];
else      
    $falla = "";

if(!isset($falla)){
    echo '<font color="red">Intentó enviar una forma vacía. Por favor intente de nuevo.</font>';
}else{

    $host="localhost"; // Host name
    $username="user"; // Mysql username
    $password="pass"; // Mysql password
    $db_name="cosa"; // Database name
    $tbl_name="reportes"; // Table name

    // To protect MySQL injection
    $fecha = mysql_real_escape_string(stripslashes($_POST['fecha']));
    $usuario = mysql_real_escape_string(stripslashes($_POST['usuario']));
    $falla = mysql_real_escape_string(stripslashes($falla));

    $db = mysql_connect($host, $username, $password) or die('Cannot Connect '.mysql_error()); 
     mysql_select_db($db_name) or die('Cannot select DB '.mysql_error());

    $sql = "INSERT INTO $tbl_name(usuario, comentario, fecha, estado) VALUES('$usuario','$falla','$fecha', '0')" or die('mysql_error()');

    mysql_query($sql) or die('Error SQL !'.$sql.'<br>'.mysql_error());

    header("location:../../user/usuario.php"); 
    mysql_close();    
}  
?>

That's the complete one, and also changed according to the recommendations I've been getting here...still not getting anything into the DB...

Answer 1

I think you may need to open the mysql connection prior to using mysql_real_escape_string. See the documentation.

EDIT

Try this, but what are the datatypes on your table? Are all the fields (usuario, comentario, fecha, estado) strings? That's what your insert statement is saying, I believe.

<?php
if( isset( $_POST[ 'reporte' ] ) ) {
    $falla = $_POST[ 'reporte' ];
} else {
    $falla = "";
}

if( !isset( $falla ) ) {
    echo '<font color="red">Intentó enviar una forma vacía. Por favor intente de nuevo.</font>';
} else {

    $host = "localhost"; // Host name
    $username = "user"; // Mysql username
    $password = "pass"; // Mysql password
    $db_name = "cosa"; // Database name
    $tbl_name = "reportes"; // Table name


    $db = mysql_connect( $host, $username, $password ) or die( 'Cannot connect ' . mysql_errno( ) );
    mysql_select_db( $db_name ) or die( 'Cannot select DB ' . mysql_error( ) );

    $fecha = mysql_real_escape_string( stripslashes( $_POST[ 'fecha' ] ) );
    $usuario = mysql_real_escape_string( stripslashes( $_POST[ 'usuario' ] ) );
    $falla = mysql_real_escape_string( stripslashes( $falla ) );

    $sql = "INSERT INTO $tbl_name(usuario, comentario, fecha, estado) VALUES('$usuario','$falla','$fecha', '0')" or die( 'mysql_error()' );

    mysql_query( $sql ) or die( 'Error SQL !' . $sql . '<br>' . mysql_error( ) );

    // You need a URL here, not a relative path
    header( "Location:../../user/usuario.php" );
    mysql_close( );
}
?>

Answer 2

First of all, I'm assuming that you have a mysql_query($sql) below: the last line of your example will never die(), as you're just creating a string there.

Second, have you set $tbl_name?

Third, try to print out $sql, check it, and if it seems correct, try it out in the database monitor or whatever GUI tool you use; see if the data actually ends up in the database (try the INSERT, then SELECT the data you just inserted).

btw you really should sanitize $falla like you've sanitized $fecha and $usuario - mysql_real_escape_string(stripslashes($falla)); or something similar. Otherwise, $_POST['reporte'] (and $falla) becomes a vector for SQL injection.

Answer 3

Check the output of mysql_error

The general usage-pattern for the mysql extension is:

mysql_query($sql) or trigger_error(mysql_error());

Answer 4

You don't need the error checking at the end of the $sql var:

$sql = "INSERT INTO $tbl_name(usuario, comentario, fecha, estado) VALUES('$usuario','$falla','$fecha', '0')" or die( 'mysql_error()' );

It is a statement, thus there is nothing it can or die on fail. Try changing it to the following:

$sql = "INSERT INTO $tbl_name(usuario, comentario, fecha, estado) VALUES('$usuario','$falla','$fecha', '0');"

Not sure if its necessarily the cause of your error, but it isn't required no the less.

Also I ran your code minus the header redirect and as mentioned by nickohrn you need to connect to the mysql server before using mysql_real_escape_string. The code worked fine, locally the record was into the database.

Try running your code without the header() call.

Answer 5

Please try this another way. Use PEAR:DB or similar framework to use prepared statements instead of this escaping hackery. Calling functions like mysql_real_escape_string and stripslashes are a perfect way to introduce strange bugs and SQL injection problems where you end up with too many or too few slashes in your data.

Answer 6

Because it is inferior to MySQLi's and PDO's prepare() method.