mysql_real_escape_string is being ignored

Question

onofej 0 Light Poster

11 Years Ago

hello everyone,
i have read through other post but could not resolve my issues. i need someone to see to my code. i am trying
mysql_real_escape_string for my datas. but the one without it can insert properly while the one with the mysql_escape does not. from my code, i am able to insert lastname into database but not the firstname. i connected to my database first because i read to use mysql_real_escape_string you have to be first connected.and i do not want to work without taking sql injection into account. could someone help please

include ('config.php');
if (isset($_POST['formsubmitted'])) {

    $dbc = @mysqli_connect($servername,$firstname,$dbpassword,$database );
    if (!$dbc) {
     trigger_error('no connection to MySQL: ' . mysqli_connect_error());
    }

    if (empty($_POST['firstname'])) { 
        $error[] = 'Please Enter a first name '; 
    } else {
        $firstname = mysql_real_escape_string( stripslashes( $_POST[ 'firstname' ] ) ); 


    }
    if (empty($_POST['lastname'])) { 
        $error[] = 'Please Enter a last name '; 
    } else {
         $lastname      =  $_POST[ 'lastname' ] ; 
    }

mysql php

2 Contributors
4 Replies
107 Views
1 Day Discussion Span
Latest Post 11 Years Ago Latest Post by onofej

diafol

11 Years Ago

Your using mysqli and then mysql. You'd be better off using a paramterized query.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

onofej 0 Light Poster · Answer 1 · 2012-12-26T17:39:30+00:00

thanks but i have changed it to mysqli and still same. i am using this method as it enable me validate email and comapre 2 password properly. would you please give me an example of what the paramatised should look like?

include ('config.php');
if (isset($_POST['formsubmitted'])) {

    $dbc = @mysqli_connect($servername,$username,$dbpassword,$database );
if (!$dbc) {
 trigger_error('Could not connect to MySQL: ' . mysqli_connect_error());
}

    if (empty($_POST['firstname'])) { //if no name has been supplied
        $error[] = 'Please Enter a first name '; //add to array "error"
    } else {
        $firstname     = mysqli_real_escape_string( stripslashes( $_POST[ 'firstname' ] ) ); //else assign it a variable
    }
    if (empty($_POST['lastname'])) { //if no name has been supplied
        $error[] = 'Please Enter a last name '; //add to array "error"
    } else {
         $lastname      =  $_POST[ 'lastname' ] ; //else assign it a variable
    }

    if (empty($_POST['email'])) {
        $error[] = 'Please Enter your email ';
    } else {

        if (preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/",
            $_POST['email'])) {
            //regular expression for email validation
            $email         = mysql_real_escape_string( stripslashes( $_POST[ 'email' ] ) );
        } else {
            $error[] = 'Your email Address is invalid  ';
        }

    }

diafol · Answer 2 · 2012-12-27T10:40:36+00:00

Before using mysqli_* functions, read the php manual: http://php.net/manual/en/mysqli.real-escape-string.php

As opposed to mysql_* functions, you must include the link identifier. In addition, php has built-in email filters and sanitizers, so you don't need regex validation:

http://uk3.php.net/manual/en/filter.filters.validate.php
http://uk3.php.net/manual/en/filter.filters.sanitize.php

Also you can do away with the stripslashes as a rule. Depends what version of php you're using and if magic quotes are enabled.

For mysqli parameter binding: http://php.net/manual/en/mysqli-stmt.bind-param.php

Note than you need to enter the data type as a first parameter, e.g. 'si' for string then integer

onofej 0 Light Poster · Answer 3 · 2012-12-27T21:15:13+00:00

thanks for theinformation and for your time i will go through it