mysql_real_escape_string() just makes an empty string?
Asked Answered
M

5

10

I am using a jQuery AJAX request to a page called like.php that connects to my database and inserts a row. This is the like.php code:

<?php

// Some config stuff
define(DB_HOST, 'localhost');
define(DB_USER, 'root');
define(DB_PASS, '');
define(DB_NAME, 'quicklike');

$link = mysql_connect(DB_HOST, DB_USER, DB_PASS) or die('ERROR: ' . mysql_error());
$sel = mysql_select_db(DB_NAME, $link) or die('ERROR: ' . mysql_error());

$likeMsg = mysql_real_escape_string(trim($_POST['likeMsg']));
$timeStamp = time();

if(empty($likeMsg))
    die('ERROR: Message is empty');

$sql = "INSERT INTO `likes` (like_message, timestamp)
        VALUES ('$likeMsg', $timeStamp)";

$result = mysql_query($sql, $link) or die('ERROR: ' . mysql_error());

echo mysql_insert_id();

mysql_close($link);

?>

The problematic line is $likeMsg = mysql_real_escape_string(trim($_POST['likeMsg']));. It seems to just return an empty string, and in my database under the like_message column all I see is blank entries. If I remove mysql_real_escape_string() though, it works fine.

Here's my jQuery code if it helps.

$('#like').bind('keydown', function(e) {
    if(e.keyCode == 13) {
        var likeMessage = $('#changer p').html();

        if(likeMessage) {
            $.ajax({
                cache: false,
                url: 'like.php',
                type: 'POST',
                data: { likeMsg: likeMessage },
                success: function(data) {
                    $('#like').unbind();
                    writeLikeButton(data);
                }
            });
        } else {
            $('#button_container').html('');
        }
    }
});

All this jQuery code works fine, I've tested it myself independently.

Any help is greatly appreciated, thanks.

Mccrea answered 9/6, 2010 at 10:58 Comment(1)
Before execute SQL do var_dump($likeMsg); echo $sql; die; and look what those variables contain. After that if it is ok, paste SQL output into phpMyAdmin and check the result.Schall
U
22

Are you 1000% sure that $_POST["likeMsg"] actually contains something?

As for mysql_real_escape_string() returning an empty value, the manual says there is only one situation where that can happen:

Note: A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used.

this doesn't seem to be the case here though, as you do have a connection open. Strange.

Untried answered 9/6, 2010 at 11:0 Comment(4)
I read that when I google'd the problem. I have initiated a database connection before using mysql_real_escape_string() though.Mccrea
@James then it must be that data itself. Can you show a dump of $_POST?Untried
@James alternatively, can you try explicitly specifying the connection as a parameter?Untried
i was on that only situation!Boschbok
U
14

As the other answers don't make clear what exactly to do, here's my:

When you do

$db_connection = new mysqli($SERVER, $USERNAME, $PASSWORD, $DATABASE);

you need to escape like this:

$newEscapedString = $db_connection->real_escape_string($unescapedString);

NOTE: Because people are downvoting this (WTF!?), here's the official page of the official php manual that says EXACTLY what i have posted: real_escape_string @ PHP Manual.

Underfeed answered 23/4, 2013 at 15:23 Comment(1)
+1 I viewed the docs. Maybe people are more use to seeing the procedural form rather than the object oriented form.Pember
T
3

For people who might be finding this again now, I just ran into this problem as I'm migrating from PHP5 to PHP7. I'm changing from

string mysql_real_escape_string(string $unescaped, [resource $link = NULL])

to:

string mysqli_real_escape_string(mysqli $link, string $escapestr)

So, in other words, the database $link is no longer optional and moves to the first argument position. If left out, it returns an empty string, without an error, apparently.

Teepee answered 18/9, 2016 at 0:37 Comment(0)
J
1

Do a var_dump of $_POST['likeMsg'], and a var_dump of $likeMsg. That gives you information on what goes wrong.

Jacynth answered 9/6, 2010 at 11:2 Comment(0)
P
0

mysql_real_escape_string() will return blank response if you have not made connection to database ...

Punishment answered 13/11, 2016 at 19:19 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.