mysql_real_escape_string() completely removes string
Asked Answered
R

1

6

I'm escaping all the string parameters I receive from a php form like this:

$usr_name = mysql_real_escape_string($_REQUEST['usr_name']);

to avoid a few problems with SQL Injection. But when I my string back from the function, I end up with nothing.

Also I keep getting this weird warning in my PHP log:

PHP Warning:  mysql_real_escape_string() [<a href='function.mysql-real-escape-string'>function.mysql-real-escape-string</a>]: A link to the server could not be established in /hermes/bosweb/web279/b2798/ipw.bankingforms/public_html/formAckResponse_controller.php on line 39

The host uses: PHP Version 4.4.7

Receipt answered 1/5, 2009 at 19:3 Comment(0)
G
18

From PHP.net:

Note: A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used.

In other words, you will have needed to connect to the MySQL database through mysql_connect() or mysql_pconnect() before you can use this function.

Greenstone answered 1/5, 2009 at 19:7 Comment(2)
I've known to do this, but never knew why, exactly. Does the function run on the database server side? Or is this simply an API limitation?Gallican
It is run server-side, because MySQL's escaping depends on the character set currently in use by the server.Greenstone

© 2022 - 2024 — McMap. All rights reserved.