I have this code:
$query = "select id from votes where username = '$user' and article_id = $this->id";
I tried this code to sanitize it:
$query = sprintf("select id from votes where username = '$user' and article_id = $this->id",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
but I get this error for the mysql_real_escape lines:
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'mexautos'#'localhost' (using password: NO) in /home/mexautos/public_html/kiubbo/data/article.php on line 145 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/mexautos/public_html/kiubbo/data/article.php on line 145 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'mexautos'#'localhost' (using password: NO) in /home/mexautos/public_html/kiubbo/data/article.php on line 146 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/mexautos/public_html/kiubbo/data/article.php on line 146
I get the user name here, I dont know if its safe enough:
function getUsername(){ return $this->username; }
Thx
You need a mysql connection before you can use mysql_real_escape_string.
I would suggest using prepared statements for this instead of sprintf
Not sure if this is what's causing your problem, but I believe the variables in your sprintf statement shouldn't be '$user' and '$this->id', but they should be '%s'
http://us2.php.net/sprintf
Warning: mysql_real_escape_string()
[function.mysql-real-escape-string]:
Access denied for user
'mexautos'#'localhost' (using
password: NO)
Warning: mysql_real_escape_string()
[function.mysql-real-escape-string]: A
link to the server could not be
established
Did you check the link ? Is it active ? You need to be connected before to use mysql_real_escape_string()
Don't you forget to set the password ?
Try:
mysql -u mexautos -p
(type Enter if no password)
Also, check out your sprintf() function, you need to use the %s to bind your variable
$a = 'Foo';
$b = 'Bar';
$foo = sprintf('Foo Bar %s %s', $a, $b);
You need a connection to use mysql_real_escape_string() because it uses the server's encoding type to help santitize.
Also the sprintf() should look something like this
$query = sprintf("SELECT id FROM votes WHERE username = '%s' and article_id = %d",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
I'd recommend using a mature DB abstraction layer like Zend_Db (there are tons of them out there). Implementing your own homebrew solution is not something I'd recommend for a production system.
Like the other said, not '$user' but '%s' and you need an open connection.
#Tomalak
sprintf is faster - that's the reason why to use it - it is a native C function.
Related
I connected my website to a database and the connection was succesful, but when i tried to get values from a table in the database i got this error:
Warning: mysql_query(): Access denied for user ''#'localhost' (using
password: NO) in /home/username/public_html/root/connecti.php on line
17
Warning: mysql_query(): A link to the server could not be established
in /home/username/public_html/root/connecti.php on line 17
Connected successfully
Line 17:
$sql = mysql_query("SELECT * FROM 'tblusers' LIMIT 0, 30");
My educated guess is that you stablish the connection using mysqli_connect() but then attempt to use mysql_query(). As per the docs:
mixed mysql_query ( string $query [, resource $link_identifier = NULL
] )
link_identifier
The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is
found, it will try to create one as if mysql_connect() had been called
with no arguments. If no connection is found or established, an
E_WARNING level error is generated.
If you check the manual page for mysql_connect() you'll see that it's possibly trying to use system-wide credentials you haven't set.
You cannot mix database extensions to your liking. Stop using the legacy extension and stick to mysqli.
Look at your SELECT query and you will see that quoting around the table name with single quote is the issue since DB engine then considering it as string literal and not a DB object.
You mean to escape it using backtique
"SELECT * FROM `tblusers` LIMIT 0, 30"
First of all, I'm sorry if the title isn't clear enough (I find it hard to explain what I'm dealing with, and English isn't my native language).
These two scripts cause three warnings:
Warning: mysql_pconnect() has been disabled for security reasons in
/home/username/public_html/xxx/libraries/adodb/drivers/adodb-mysql.inc.php
on line 227
Warning: mysql_real_escape_string()
[function.mysql-real-escape-string]: Access denied for user
'root'#'localhost' (using password: NO) in
/home/username/public_html/xxx/include/config.php on line 140
Warning: mysql_real_escape_string()
[function.mysql-real-escape-string]: A link to the server could not be
established in /home/username/public_html/xxx/include/config.php on
line 140
The Config PHP
if($sban != "1")
{
$bquery = "SELECT count(*) as total from bans_ips WHERE ip='".mysql_real_escape_string($_SERVER['REMOTE_ADDR'])."'";
$bresult = $conn->execute($bquery);
$bcount = $bresult->fields['total'];
if($bcount > "0")
{
$brdr = $config['baseurl']."/banned.php";
header("Location:$brdr");
exit;
}
}
The adodb-mysql.inc.php
function _pconnect($argHostname, $argUsername, $argPassword, $argDatabasename)
{
if (ADODB_PHPVER >= 0x4300)
$this->_connectionID = mysql_pconnect($argHostname,$argUsername,$argPassword,$this->clientFlags);
else
$this->_connectionID = mysql_pconnect($argHostname,$argUsername,$argPassword);
if ($this->_connectionID === false) return false;
if ($this->autoRollback) $this->RollbackTrans();
if ($argDatabasename) return $this->SelectDB($argDatabasename);
return true;
}
What I don't understand is that there's no error whether using localhost or my other hosting (I have 2 hosting services and only one that works well).
Please, could you kindly suggest to me what to do in a very newbie way?
Thank you very much in advance.
The mysql_query subsystem requires an active connection to be defined before the escaping function will work, but don't bother fixing this. Instead use the database library you're employing correctly.
It's not clear which you're using from this short example, the connection code is omitted.
The PDO execute function can bind values, and the mysqli bind_param method is similar. Both completely replace mysql_real_escape_string.
I began learning to code a few days ago and I am having some issues with mysql_real_escape_string, specifically with a login.php.
The error messages:
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'elegant'#'localhost' (using password: NO) in /home/elegant/public_html/php/login.php on line 3
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/elegant/public_html/php/login.php on line 3
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'elegant'#'localhost' (using password: NO) in /home/elegant/public_html/php/login.php on line 4
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/elegant/public_html/php/login.php on line 4
Please enter a username and a password
Here is the code I have so far -- this code worked in localhost but once I put it online and imported the database tables, it gave me some issues:
<?php
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
if ($username&&$password)
{
$connect = mysql_connect("localhost","elegant_root","password;1") or die("Couldn't connect!");
mysql_select_db("elegant_ezworkstation") or die("Couldn't find database");
$query = mysql_query("SELECT * FROM users WHERE username=$username");
$numrows = mysql_numrows($query);
if ($numrows!=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if ($username==$dbusername&&$password==$dbpassword)
{
echo "You're in";
}
else
echo "Incorrect password!";
}
else
die("That user doesn't exist");
}
else
die("Please enter a username and a password");
?>
EDIT: I changed to mysqli and I got these errors:
Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/elegant/public_html/php/login.php on line 3
Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/elegant/public_html/php/login.php on line 4
Putting mysql_real_escape_string() after you connect to the db will work fine.
However, you should shift to mysqli or PDO. MySQL is deprecated now.
A few links to help you out
Moving from mysql to mysqli or pdo?
mysqli or PDO - what are the pros and cons?
The equivalent commands in mysqli and PDO for escaping would be mysqli_real_escape_string() and PDO::quote() respectively.
As people are pointing out, PDO is definitely the better alternative. Here is an answer I previously wrote comparing PDO with others.
PDO - real facts and best practice?
And another advantage of this will be that you don't need to use escaping functions if you use prepared statements with named parameters.
my code-
require 'database.php';
$title = mysql_real_escape_string($_POST['title']); //line 48
$cat = $_POST['cat'];
$txtart = mysql_real_escape_string($_POST['artbody']); //line 50
$date = date("d-m-y");
$q = "INSERT INTO tblarticle (art_title, art_cat, art_des, art_date) VALUES ('$title', '$cat', '$txtart', '$date')";
ERROR-->
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'#'localhost' (using password: NO) in C:\xampp\htdocs\shizin\admin\newArticle.php on line 48
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\xampp\htdocs\shizin\admin\newArticle.php on line 48
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'#'localhost' (using password: NO) in C:\xampp\htdocs\shizin\admin\newArticle.php on line 50
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\xampp\htdocs\shizin\admin\newArticle.php on line 50
But data is getting saved in DB but null titile and artbody fields
mysql_real_escape_string tries to connect to the local database, so it can fetch the settings it needs to escape the string correctly for that system.
You can tell the function which connection to use by passing in a link identifier as a second argument:
mysql_real_escape_string($string, $link)
Please check your MySQL username and password and make sure you're entering them properly in mysql_connect. According to the error you didn't run mysql_connect with a password, which may be causing these problems.
Check database.php connection strings, and the MySQL server is running as mysql_real_escape_string needs a valid open database connection to work.
my code-
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
but it throws warning-
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'#'localhost' (using password: NO) in C:\xampp\htdocs\pics\confirm_login_credentials.php on line 3
and
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\xampp\htdocs\pics\confirm_login_credentials.php on line 3
mysql_real_escape_string requires an established link to the database to distinguish the actually used character encoding:
Note: A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used.
It seems that you don’t have that when calling mysql_real_escape_string.
http://www.webmasterworld.com/php/3120893.htm
You need the database link before anything else.
mysql_real_escape_string() takes a connection handler and escapes the
string according to the current
character set. Although depreciated,
mysql_escape_string [us3.php.net]
doesn't need a connection