mysql_real_escape_string not working

PHP
1

I’m trying to use mysql_real_escape_string to make some user input safe for insertion into a MySQL table. However, I am getting an error when I do it.

I’ve tried it two different ways, and received two different errors. Here’s the first…


$conn = DBManager::getConn();
$username = mysql_real_escape_string($in_username);

Note that the first line definitely successfully opens a connection. Here is the errors I get when I try this…

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user ‘ODBC’@‘localhost’ (using password: NO) in C:\wamp\www\awesome\awesome\includes\usermgr.php on line 187

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\wamp\www\awesome\awesome\includes\usermgr.php on line 187

Here is the second way I tried it…


$conn = DBManager::getConn();
$username = $conn->mysql_real_escape_string($in_username);

This generates the following error…

Fatal error: Call to undefined method mysqli::mysql_real_escape_string() in C:\wamp\www\awesome\awesome\includes\usermgr.php on line 187

Can anyone tell me what I’m doing wrong?

2

I figured I’d include the DBManager class in case maybe it has something to do with the way I’m connecting to the DB. I’ve tested this class and the getConn() method and it definitely gets a connection. I was able to connect and run queries on the database. Anyway, here’s the code…

class DBManager
{
	private static $s_conn;
	
	public static function getConn()
	{
		if (DBManager::$s_conn === NULL)
		{
			$conn = @new mysqli(DB_HOST, DB_USER, DB_PASS, DB_DBASE);
			if (mysqli_connect_errno() !== 0)
			{
				$msg = mysqli_connect_error();
				throw new DatabaseErrorException($msg);
			}
			
			@$conn->query('SET NAMES \\'utf8\\'');
			DBManager::$s_conn = $conn;
		}
		
		return DBManager::$s_conn;
	}
}
3 

$username = $conn->real_escape_string($in_username);

:wink:

4

Awesome. Thanks, that worked. So what is mysql_real_escape_string about? I got that straight of a PHP security book.

5

it is not really about security. it is about SQL syntax.
There are some special characters that must be escaped with backslash to make syntax of query correct.
So, mysql_real_escape_string does the thing

6

I guess what I was really asking is what’s the difference between mysql_real_escape_string and real_escape_string and why is only real_escape_string working for me? Is mysql_real_escape_string from an older MySQL extension or something?

7

yes. from other mysql extension