Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

mysql_real_escape_string deleting entire string

I'm writing an authentication system for my site and I want to ensure I'm protected against SQL injection. I'm using 'mysql_real_escape_string' but this clears out the string completely. the username is something like 'Damo' but after running through the function it's gone.

What am I doing wrong? (it works fine without mysql_real_escape_string)

$user_name = $_POST["username"];
$md5 = md5($_POST["password"]);

$user_name = mysql_real_escape_string($user_name);


$login = $query->GetSingleQuery("--SINGLE","SELECT user_name, id FROM url_users WHERE user_name='".$user_name."' and user_password='".$md5."';",array("user_name","id"));
like image 301
Damo Avatar asked May 23 '11 21:05

Damo


1 Answers

mysql_real_escape_string requires a connection. The connection is assumed to have been created as part of the same library.

However, mysql_real_escape_string is not OO-based, and you're clearly using some other library for your OO $query (what is it?). So mysql_real_escape_string cannot "see" the connection that you're using, and thus it cannot work.

If you turn error reporting on (and you really should), you ought to see an E_WARNING generated for this.

For now, I suggest mysql_escape_string instead. Its use may not match the character set of your database connection, but it'll do you for now, and it doesn't require a connection. Ideally, use the escaping function provided through the DB library that you're actually using.

like image 184
Lightness Races in Orbit Avatar answered Sep 27 '22 16:09

Lightness Races in Orbit