I'm writing an authentication system for my site and I want to ensure I'm protected against SQL injection. I'm using 'mysql_real_escape_string' but this clears out the string completely. the username is something like 'Damo' but after running through the function it's gone.
What am I doing wrong? (it works fine without mysql_real_escape_string)
$user_name = $_POST["username"];
$md5 = md5($_POST["password"]);
$user_name = mysql_real_escape_string($user_name);
$login = $query->GetSingleQuery("--SINGLE","SELECT user_name, id FROM url_users WHERE user_name='".$user_name."' and user_password='".$md5."';",array("user_name","id"));
mysql_real_escape_string
requires a connection. The connection is assumed to have been created as part of the same library.
However, mysql_real_escape_string
is not OO-based, and you're clearly using some other library for your OO $query
(what is it?). So mysql_real_escape_string
cannot "see" the connection that you're using, and thus it cannot work.
If you turn error reporting on (and you really should), you ought to see an E_WARNING
generated for this.
For now, I suggest mysql_escape_string
instead. Its use may not match the character set of your database connection, but it'll do you for now, and it doesn't require a connection. Ideally, use the escaping function provided through the DB library that you're actually using.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With