5

I'm writing an authentication system for my site and I want to ensure I'm protected against SQL injection. I'm using 'mysql_real_escape_string' but this clears out the string completely. the username is something like 'Damo' but after running through the function it's gone.

What am I doing wrong? (it works fine without mysql_real_escape_string)

$user_name = $_POST["username"];
$md5 = md5($_POST["password"]);

$user_name = mysql_real_escape_string($user_name);


$login = $query->GetSingleQuery("--SINGLE","SELECT user_name, id FROM url_users WHERE user_name='".$user_name."' and user_password='".$md5."';",array("user_name","id"));
Improve this question
1
  • Do you have magic quotes turned on? (get_magic_quotes_gpc()) Commented May 23, 2011 at 21:19

2 Answers 2

Reset to default
7

mysql_real_escape_string requires a connection. The connection is assumed to have been created as part of the same library.

However, mysql_real_escape_string is not OO-based, and you're clearly using some other library for your OO $query (what is it?). So mysql_real_escape_string cannot "see" the connection that you're using, and thus it cannot work.

If you turn error reporting on (and you really should), you ought to see an E_WARNING generated for this.

For now, I suggest mysql_escape_string instead. Its use may not match the character set of your database connection, but it'll do you for now, and it doesn't require a connection. Ideally, use the escaping function provided through the DB library that you're actually using.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I'm an idiot. mysql_real_escape_string is already included in the SQL connection class I'm using. Thanks for your input, it made me look in the right place.
@Damo: No problem. Absolutely use the function provided in the library you're using; it will be aware of the connection you've created, and thus it will function properly. And turn on error reporting! Good luck!
-1

try this snippet, i think your wrong on what's actully happening.

$user_name = $_POST["username"];
echo 'before: '.$user_name;
$user_name = mysql_real_escape_string($user_name);
echo 'after: '.$user_name;
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.