The following code works perfectly fine in my local xampp installation (Windows 7), but when I ported it over to a Win2K8 R2 server, the mysql_real_escape_string piece does not work. When I comment it out, it works fine. I am pretty sure this has something to do with the php.ini file but cannot pinpoint what it is. Perhaps my code should have been written differently to begin with.
function add_asset($asset_type_ID, $org_ID, $asset_desc, $asset_cost, $asset_value, $purchase_date) {
global $db;
$asset_desc = mysql_real_escape_string($asset_desc);
$query = "INSERT INTO assets
(asset_ID, asset_type_ID, org_ID, asset_desc, asset_cost, asset_value, purchase_date)
VALUES
(DEFAULT, '$asset_type_ID', '$org_ID', '$asset_desc', '$asset_cost', '$asset_value', '$purchase_date')";
$add_asset = $db->exec($query);
$last_asset_ID = $db->lastInsertId();
return $last_asset_ID;
Specifically, when the record gets entered into mysql, the asset_desc
field is blank.
Thank you!
UPDATE: After looking through the PHP error log, I found the following:
[function.mysql-real-escape-string]: Access denied for user ''@'localhost' (using password: NO)
Looks like whatever credentials you are using to connect to the database on your dev system are failing on your server.
mysql_real_escape_string()
requires an active MySQL connection in order for it to work correctly; if you aren't connected to the database, it will fail.
Check wherever in your code you are calling mysql_connect()
; from the error message, it seems like your dev system is relying on the runtime default values for the Mysql extension.
Alternatively, the connection resource might not be accessible to mysql_real_escape_string()
on the server's system. From the documentation for mysql_real_escape_string()
(emphasis mine):
link_identifier
The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect()
is assumed. If no such link is found, it will try to create one as if mysql_connect()
was called with no arguments. If no connection is found or established, an E_WARNING level error is generated.
Perhaps it's possible that your dev server is configured such that calling mysql_connect()
with no arguments does establish a connection to the MySQL database server. The most likely reasons for this are either dev MySQL server allows anonymous connections, or php.ini specifies valid default credentials.
However, this fails on production, most likely because the production MySQL server does not allow anonymous connections, and no default credentials are specified in php.ini.
Check over your code for situations where it is possible to arrive at the call to mysql_real_escape_string()
without mysql_connect()
getting called first (note that establishing a connection with PDO doesn't count in this case).
Since you're using PDO, consider switching to prepared statements, which will eliminate the need for mysql_real_escape_string()
entirely.
You're probably thinking of "magic quotes"
http://php.net/manual/en/security.magicquotes.disabling.php
This function has been deprecated in php 5.3
http://php.net/manual/en/function.mysql-escape-string.php
You will have to rewrite your code, ideally use PDO from now on and use prepared statements.
Quick Answer:
Connect to database first
Then use the mysql_real_escape_string.
Not the other way around......