'ODBC'@'localhost' error while updating.

Question

Im getting this error when Im trying to update data in the database. this is my database.php file

<?php

 $db_name = "db";
 $db_server = "localhost";
 $db_user = "xxxx";
 $db_pass = "zzzzzzzzz";

 $mysqli = new MySQLi($db_server, $db_user, $db_pass, $db_name)
 or die(mysqli_error());

?>

update.php

<?php

 require 'database.php';

 $title = mysql_real_escape_string($_POST['title']);
 $id = mysql_real_escape_string($_POST['id']);

 $update_query = "UPDATE photos SET title = '$title' WHERE id='$id'";

 $result = $mysqli->query($update_query) or die(mysqli_error($mysqli));

 if ($result) {
    echo "Success!";
    echo "The title of this photo has been changed to:  <strong>$title</strong>";
 }

?>

The error message:

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'@'localhost' (using password: NO) in C:\wamp\www\myPhotosWebsite\changePhotoTitle.php on line 5

Answer 1

In your mysql connect() it seems that your user name/password combination is being denied access to mysql, you might want to check your details and try again.

Answer 2

You are mixing procedural and object-oriented style calls.

Try:

$title = $mysqli->escape_string(_POST['title']); /* Call as a method */

instead of:

$title = mysql_real_escape_string($_POST['title']);

real_escape_string requires a valid connection handle, as it needs to know the connection character set.

If you call it as a procedure, you should pass the connection handle as a first param:

mysql_real_escape_string($connection_handle, $string_to_escape)

or just call it as a method as described above.

See mysqli_real_escape_string for more detail

Answer 3

mysql_real_escape_string requires a database connection to operate on. Unless you pass one explicitly, that means you have to call mysql_connect() first. But you're using a MySQLi() object to get the connection instead. I don't think using MySQLi() will set the default connection mysql_ family functions. Certainly,

(using password: NO)

implies it is not getting the $db_pass.

It's best to stick to either ‘mysql’ or ‘mysqli’, rather than try to mix both. If you're using MySQLi you might want to take advantage of parameterised statements to avoid having to call $mysqli->escape_string() explicitly.

PS.

echo "The title of this photo has been changed to:  <strong>$title</strong>";

$title is SQL-escaped, but not HTML-escaped. It will have unwanted backslashes in whilst not preventing HTML-injection (XSS attacks). Instead:

echo 'The title of this photo has been changed to: <strong>'.htmlspecialchars($_POST['title']).'</strong>';