Warning: mysql_real_escape_string(): Access denied for user ''@'localhost' (using password: NO)

Question

When is use the following code without mysql_real_escape_string, works fine. I simply trying to grab a text string that may have apost. from an input form and format it to put in mysql table.

    <?php
    $filenamee = $_FILES["file"]["name"];
    $filename =strval($filenamee);
    echo "file name is".$filename;

     $con=mysqli_connect("localhost","blasbott_admin","lubu1973","blasbott_upload");
     // Check connection
     if (mysqli_connect_errno())
       {
   echo "Failed to connect to MySQL: " . mysqli_connect_error();
   }
 $companyName = mysql_real_escape_string($_POST['companyName']);
// $companyName = mysql_real_escape_string($companyNamee);
 //$companyName = mysql_real_escape_string($companyNamee);

$sql="INSERT INTO ads (companyName, webSite, picture)
 VALUES ('$companyName','$_POST[webSite]','$filename')";

if (!mysqli_query($con,$sql))
   {
   die('Error: ' . mysqli_error($con));
   }
   echo"<br>";
 echo "1 record added";

mysqli_close($con);
 ?> 

Answer 1

No, you shouldn't mix mysql and mysqli.

Use here instead of mysql_real_escape_string($var):

$con->real_escape_string($var);

Answer 2

You're at risk of MySQL injections. Never insert data directly to a database without some sort of projection first. It's a major security risk. Also use mysqli_real_escape_string instead, and note that your $_POST[webSite] is unprotected.

Also, your error means that your database details are not correct.

Answer 3

You must connect with database first before using Warning: mysql_real_escape_string()

Answer 4

A working code example that is a solution to this problem is available here:

http://www.w3schools.com/php/func_mysqli_real_escape_string.asp