Re: [PHP] Problem with mysql_real_escape_string
On Thu, Mar 5, 2009 at 11:16 AM, Nigel Green ni...@greenlemur.com wrote: Hi all, This is my first post to the list. Have been observing for a few weeks and have learnt a lot. I am having an issue in one of my scripts where using the mysql_real_escape_string function is stripping content out of my input data. All is working well on my local installation, but when the files are transferred over to the live site I am getting problems. The sample code I am using to test this is as follows: if(isset($this-mysql)) { $query = update pages set; $query .= `title` = ' . mysql_real_escape_string ($title) . ',; $query .= `text` = ' . mysql_real_escape_string ($text) . ',; $query .= where id = \$id\; } echo $query; The $title, $text and $id values are passed in as parameters when I call the method that runs the update, and if I echo them out at the top of the method they are all present and correct. The $mysql class variable is populated with a connection handle when I instantiate an instance of the class, and the code is finding the connection as it is building the query. On my local machine the query is built using the escaped values from the $_POST array, but on the live site the escaped values for $title and $text are blank. Any ideas on where to look for config differences? The main thing I've found so far is that this may happen if no connection is present, but it is. Doing a var_dump of the connection handle shows that it is the correct handle as well. Any thoughts? Many thanks in advance for any help. Nigel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Make sure to always pass your active database connection into the second parameter of mysql_real_escape_string. There could be character set differences between your two servers too that might be causing issues for you. If at all possible I would recommend upgrading to mysqli or pdo and use prepared statements. -- http://www.voom.me | EFnet: #voom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with mysql_real_escape_string
On Thu, Mar 5, 2009 at 10:52 AM, Eric Butera eric.but...@gmail.com wrote: On Thu, Mar 5, 2009 at 11:16 AM, Nigel Green ni...@greenlemur.com wrote: Hi all, This is my first post to the list. Have been observing for a few weeks and have learnt a lot. I am having an issue in one of my scripts where using the mysql_real_escape_string function is stripping content out of my input data. All is working well on my local installation, but when the files are transferred over to the live site I am getting problems. The sample code I am using to test this is as follows: if(isset($this-mysql)) { $query = update pages set; $query .= `title` = ' . mysql_real_escape_string ($title) . ',; $query .= `text` = ' . mysql_real_escape_string ($text) . ',; $query .= where id = \$id\; } echo $query; The $title, $text and $id values are passed in as parameters when I call the method that runs the update, and if I echo them out at the top of the method they are all present and correct. The $mysql class variable is populated with a connection handle when I instantiate an instance of the class, and the code is finding the connection as it is building the query. On my local machine the query is built using the escaped values from the $_POST array, but on the live site the escaped values for $title and $text are blank. Any ideas on where to look for config differences? The main thing I've found so far is that this may happen if no connection is present, but it is. Doing a var_dump of the connection handle shows that it is the correct handle as well. Any thoughts? Many thanks in advance for any help. Nigel Make sure to always pass your active database connection into the second parameter of mysql_real_escape_string. There could be character set differences between your two servers too that might be causing issues for you. If at all possible I would recommend upgrading to mysqli or pdo and use prepared statements. mysqli may not be available to him (PHP4, etc.) and I don't see why he should completely switch his procedure if his code will work with the addition of the db handle in the function call... but that's my 2c. I agree that at some level, it is more beneficial to change all of the code you have to use a new method/construct/whatever, but it may not be worth it in his case. // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with mysql_real_escape_string
On Thu, Mar 5, 2009 at 12:00 PM, haliphax halip...@gmail.com wrote: On Thu, Mar 5, 2009 at 10:52 AM, Eric Butera eric.but...@gmail.com wrote: On Thu, Mar 5, 2009 at 11:16 AM, Nigel Green ni...@greenlemur.com wrote: Hi all, This is my first post to the list. Have been observing for a few weeks and have learnt a lot. I am having an issue in one of my scripts where using the mysql_real_escape_string function is stripping content out of my input data. All is working well on my local installation, but when the files are transferred over to the live site I am getting problems. The sample code I am using to test this is as follows: if(isset($this-mysql)) { $query = update pages set; $query .= `title` = ' . mysql_real_escape_string ($title) . ',; $query .= `text` = ' . mysql_real_escape_string ($text) . ',; $query .= where id = \$id\; } echo $query; The $title, $text and $id values are passed in as parameters when I call the method that runs the update, and if I echo them out at the top of the method they are all present and correct. The $mysql class variable is populated with a connection handle when I instantiate an instance of the class, and the code is finding the connection as it is building the query. On my local machine the query is built using the escaped values from the $_POST array, but on the live site the escaped values for $title and $text are blank. Any ideas on where to look for config differences? The main thing I've found so far is that this may happen if no connection is present, but it is. Doing a var_dump of the connection handle shows that it is the correct handle as well. Any thoughts? Many thanks in advance for any help. Nigel Make sure to always pass your active database connection into the second parameter of mysql_real_escape_string. There could be character set differences between your two servers too that might be causing issues for you. If at all possible I would recommend upgrading to mysqli or pdo and use prepared statements. mysqli may not be available to him (PHP4, etc.) and I don't see why he should completely switch his procedure if his code will work with the addition of the db handle in the function call... but that's my 2c. I agree that at some level, it is more beneficial to change all of the code you have to use a new method/construct/whatever, but it may not be worth it in his case. // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Using php4 is beyond irresponsible at this point. -- http://www.voom.me | EFnet: #voom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with mysql_real_escape_string
On Thu, Mar 5, 2009 at 11:08 AM, Eric Butera eric.but...@gmail.com wrote: On Thu, Mar 5, 2009 at 12:00 PM, haliphax halip...@gmail.com wrote: On Thu, Mar 5, 2009 at 10:52 AM, Eric Butera eric.but...@gmail.com wrote: On Thu, Mar 5, 2009 at 11:16 AM, Nigel Green ni...@greenlemur.com wrote: Hi all, This is my first post to the list. Have been observing for a few weeks and have learnt a lot. I am having an issue in one of my scripts where using the mysql_real_escape_string function is stripping content out of my input data. All is working well on my local installation, but when the files are transferred over to the live site I am getting problems. The sample code I am using to test this is as follows: if(isset($this-mysql)) { $query = update pages set; $query .= `title` = ' . mysql_real_escape_string ($title) . ',; $query .= `text` = ' . mysql_real_escape_string ($text) . ',; $query .= where id = \$id\; } echo $query; The $title, $text and $id values are passed in as parameters when I call the method that runs the update, and if I echo them out at the top of the method they are all present and correct. The $mysql class variable is populated with a connection handle when I instantiate an instance of the class, and the code is finding the connection as it is building the query. On my local machine the query is built using the escaped values from the $_POST array, but on the live site the escaped values for $title and $text are blank. Any ideas on where to look for config differences? The main thing I've found so far is that this may happen if no connection is present, but it is. Doing a var_dump of the connection handle shows that it is the correct handle as well. Any thoughts? Many thanks in advance for any help. Nigel Make sure to always pass your active database connection into the second parameter of mysql_real_escape_string. There could be character set differences between your two servers too that might be causing issues for you. If at all possible I would recommend upgrading to mysqli or pdo and use prepared statements. mysqli may not be available to him (PHP4, etc.) and I don't see why he should completely switch his procedure if his code will work with the addition of the db handle in the function call... but that's my 2c. I agree that at some level, it is more beneficial to change all of the code you have to use a new method/construct/whatever, but it may not be worth it in his case. Using php4 is beyond irresponsible at this point. Nice quip, but it doesn't do any of us any good who are stuck with PHP4 due to the decisions of people with more clout in the organization than we (like perhaps the OP). :p -- // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with mysql_real_escape_string
On Thu, Mar 5, 2009 at 12:21 PM, haliphax halip...@gmail.com wrote: On Thu, Mar 5, 2009 at 11:08 AM, Eric Butera eric.but...@gmail.com wrote: On Thu, Mar 5, 2009 at 12:00 PM, haliphax halip...@gmail.com wrote: On Thu, Mar 5, 2009 at 10:52 AM, Eric Butera eric.but...@gmail.com wrote: On Thu, Mar 5, 2009 at 11:16 AM, Nigel Green ni...@greenlemur.com wrote: Hi all, This is my first post to the list. Have been observing for a few weeks and have learnt a lot. I am having an issue in one of my scripts where using the mysql_real_escape_string function is stripping content out of my input data. All is working well on my local installation, but when the files are transferred over to the live site I am getting problems. The sample code I am using to test this is as follows: if(isset($this-mysql)) { $query = update pages set; $query .= `title` = ' . mysql_real_escape_string ($title) . ',; $query .= `text` = ' . mysql_real_escape_string ($text) . ',; $query .= where id = \$id\; } echo $query; The $title, $text and $id values are passed in as parameters when I call the method that runs the update, and if I echo them out at the top of the method they are all present and correct. The $mysql class variable is populated with a connection handle when I instantiate an instance of the class, and the code is finding the connection as it is building the query. On my local machine the query is built using the escaped values from the $_POST array, but on the live site the escaped values for $title and $text are blank. Any ideas on where to look for config differences? The main thing I've found so far is that this may happen if no connection is present, but it is. Doing a var_dump of the connection handle shows that it is the correct handle as well. Any thoughts? Many thanks in advance for any help. Nigel Make sure to always pass your active database connection into the second parameter of mysql_real_escape_string. There could be character set differences between your two servers too that might be causing issues for you. If at all possible I would recommend upgrading to mysqli or pdo and use prepared statements. mysqli may not be available to him (PHP4, etc.) and I don't see why he should completely switch his procedure if his code will work with the addition of the db handle in the function call... but that's my 2c. I agree that at some level, it is more beneficial to change all of the code you have to use a new method/construct/whatever, but it may not be worth it in his case. Using php4 is beyond irresponsible at this point. Nice quip, but it doesn't do any of us any good who are stuck with PHP4 due to the decisions of people with more clout in the organization than we (like perhaps the OP). :p -- // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php We heard those arguments for years. Using software with no security patches is insane. -- http://www.voom.me | EFnet: #voom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with mysql_real_escape_string
On Thu, Mar 5, 2009 at 11:41 AM, Eric Butera eric.but...@gmail.com wrote: On Thu, Mar 5, 2009 at 12:21 PM, haliphax halip...@gmail.com wrote: On Thu, Mar 5, 2009 at 11:08 AM, Eric Butera eric.but...@gmail.com wrote: On Thu, Mar 5, 2009 at 12:00 PM, haliphax halip...@gmail.com wrote: On Thu, Mar 5, 2009 at 10:52 AM, Eric Butera eric.but...@gmail.com wrote: Make sure to always pass your active database connection into the second parameter of mysql_real_escape_string. There could be character set differences between your two servers too that might be causing issues for you. If at all possible I would recommend upgrading to mysqli or pdo and use prepared statements. mysqli may not be available to him (PHP4, etc.) and I don't see why he should completely switch his procedure if his code will work with the addition of the db handle in the function call... but that's my 2c. I agree that at some level, it is more beneficial to change all of the code you have to use a new method/construct/whatever, but it may not be worth it in his case. Using php4 is beyond irresponsible at this point. Nice quip, but it doesn't do any of us any good who are stuck with PHP4 due to the decisions of people with more clout in the organization than we (like perhaps the OP). :p We heard those arguments for years. Using software with no security patches is insane. I agree! However, there are a lot of insane people that are given the reigns to decisions that are not the same people who program (and understand) the applications involved... :( -- // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with mysql_real_escape_string
On Thu, Mar 5, 2009 at 1:47 PM, haliphax halip...@gmail.com wrote: On Thu, Mar 5, 2009 at 11:41 AM, Eric Butera eric.but...@gmail.com wrote: On Thu, Mar 5, 2009 at 12:21 PM, haliphax halip...@gmail.com wrote: On Thu, Mar 5, 2009 at 11:08 AM, Eric Butera eric.but...@gmail.com wrote: On Thu, Mar 5, 2009 at 12:00 PM, haliphax halip...@gmail.com wrote: On Thu, Mar 5, 2009 at 10:52 AM, Eric Butera eric.but...@gmail.com wrote: Make sure to always pass your active database connection into the second parameter of mysql_real_escape_string. There could be character set differences between your two servers too that might be causing issues for you. If at all possible I would recommend upgrading to mysqli or pdo and use prepared statements. mysqli may not be available to him (PHP4, etc.) and I don't see why he should completely switch his procedure if his code will work with the addition of the db handle in the function call... but that's my 2c. I agree that at some level, it is more beneficial to change all of the code you have to use a new method/construct/whatever, but it may not be worth it in his case. Using php4 is beyond irresponsible at this point. Nice quip, but it doesn't do any of us any good who are stuck with PHP4 due to the decisions of people with more clout in the organization than we (like perhaps the OP). :p We heard those arguments for years. Using software with no security patches is insane. I agree! However, there are a lot of insane people that are given the reigns to decisions that are not the same people who program (and understand) the applications involved... :( -- // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php I talked my company into do it because of the new features that would save time. Show them simplexml and domdocument. It's up to you to make it happen. But at this point its completely abandoned. That should be good enough for anything that is getting active development time. -- http://www.voom.me | EFnet: #voom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with mysql_real_escape_string
On Thu, Mar 5, 2009 at 2:00 PM, Eric Butera eric.but...@gmail.com wrote: On Thu, Mar 5, 2009 at 1:47 PM, haliphax halip...@gmail.com wrote: On Thu, Mar 5, 2009 at 11:41 AM, Eric Butera eric.but...@gmail.com wrote: On Thu, Mar 5, 2009 at 12:21 PM, haliphax halip...@gmail.com wrote: On Thu, Mar 5, 2009 at 11:08 AM, Eric Butera eric.but...@gmail.com wrote: On Thu, Mar 5, 2009 at 12:00 PM, haliphax halip...@gmail.com wrote: On Thu, Mar 5, 2009 at 10:52 AM, Eric Butera eric.but...@gmail.com wrote: Make sure to always pass your active database connection into the second parameter of mysql_real_escape_string. There could be character set differences between your two servers too that might be causing issues for you. If at all possible I would recommend upgrading to mysqli or pdo and use prepared statements. mysqli may not be available to him (PHP4, etc.) and I don't see why he should completely switch his procedure if his code will work with the addition of the db handle in the function call... but that's my 2c. I agree that at some level, it is more beneficial to change all of the code you have to use a new method/construct/whatever, but it may not be worth it in his case. Using php4 is beyond irresponsible at this point. Nice quip, but it doesn't do any of us any good who are stuck with PHP4 due to the decisions of people with more clout in the organization than we (like perhaps the OP). :p We heard those arguments for years. Using software with no security patches is insane. I agree! However, there are a lot of insane people that are given the reigns to decisions that are not the same people who program (and understand) the applications involved... :( I talked my company into do it because of the new features that would save time. Show them simplexml and domdocument. It's up to you to make it happen. But at this point its completely abandoned. That should be good enough for anything that is getting active development time. Sadly, my company is throwing PHP out the window in favor of ASP.NET, as they have an irrational fear of Open Source software. Don't get me wrong--.NET is pretty darn cool--but I literally enjoy working in PHP. The fact that I don't need an IDE to unlock the majority of the language's functionality is nice. (Editing a config file by hand or using more than a couple of nested libraries without code completion is a nightmare in .NET) Anyway, it's already been decided. Hell, they use Microsoft for damn near everything else. I guess the mainstream mentality has overpowered honest consideration for an alternative (not my words) solution's merits. -- // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with mysql_real_escape_string
On Thu, Mar 5, 2009 at 3:07 PM, haliphax halip...@gmail.com wrote: Sadly, my company is throwing PHP out the window in favor of ASP.NET, as they have an irrational fear of Open Source software. Don't get me wrong--.NET is pretty darn cool--but I literally enjoy working in PHP. The fact that I don't need an IDE to unlock the majority of the language's functionality is nice. (Editing a config file by hand or using more than a couple of nested libraries without code completion is a nightmare in .NET) Anyway, it's already been decided. Hell, they use Microsoft for damn near everything else. I guess the mainstream mentality has overpowered honest consideration for an alternative (not my words) solution's merits. -- // Todd Yes my company has done work for shops like that. It does seem like there is a big line drawn in the sand us vs them. =) Good luck Todd! We'll miss you. :D -- http://www.voom.me | EFnet: #voom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with mysql_real_escape_string
On 05/03/09, Eric Butera wrote: Make sure to always pass your active database connection into the second parameter of mysql_real_escape_string. There could be character set differences between your two servers too that might be causing issues for you. If at all possible I would recommend upgrading to mysqli or pdo and use prepared statements. Thanks for the replies. I've reworked the database code to use PDO prepared statements and it works perfectly on the local and remote versions. Thanks! Nigel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with mysql_real_escape_string
On Thu, Mar 5, 2009 at 3:29 PM, Nigel Green ni...@greenlemur.com wrote: On 05/03/09, Eric Butera wrote: Make sure to always pass your active database connection into the second parameter of mysql_real_escape_string. There could be character set differences between your two servers too that might be causing issues for you. If at all possible I would recommend upgrading to mysqli or pdo and use prepared statements. Thanks for the replies. I've reworked the database code to use PDO prepared statements and it works perfectly on the local and remote versions. Thanks! Nigel -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php Really? Awesome! Thank you. :D -- http://www.voom.me | EFnet: #voom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Problem with mysql_real_escape_string
On Thu, Mar 5, 2009 at 2:11 PM, Eric Butera eric.but...@gmail.com wrote: On Thu, Mar 5, 2009 at 3:07 PM, haliphax halip...@gmail.com wrote: Sadly, my company is throwing PHP out the window in favor of ASP.NET, as they have an irrational fear of Open Source software. Don't get me wrong--.NET is pretty darn cool--but I literally enjoy working in PHP. The fact that I don't need an IDE to unlock the majority of the language's functionality is nice. (Editing a config file by hand or using more than a couple of nested libraries without code completion is a nightmare in .NET) Anyway, it's already been decided. Hell, they use Microsoft for damn near everything else. I guess the mainstream mentality has overpowered honest consideration for an alternative (not my words) solution's merits. Yes my company has done work for shops like that. It does seem like there is a big line drawn in the sand us vs them. =) Good luck Todd! We'll miss you. :D Ha! You're not getting rid of me that easily. ;) I still do pretty much all of my independent development in PHP (for paying clients and for my own interests... mostly my own interests as I'm juggling school and work and a band). I've recently started playing with the CodeIgniter framework, and it's renewed my love for the language all over again. I had tinkered with MVC for a bit in Java (of course) and ASP.NET, but it's nice to find such a clean, elegant package for it in PHP to keep the momentum going for me. Right now, I'm working on an AJAX (jQuery) and PHP (CodeIgniter) web-based MMORPG in the vein of Urban Dead [1] that has been bouncing around in my head in the form of one idea or another for a little over a decade. Started out as a BBS door, then a stand-alone telnet server, then a C++ application, then a Java applet, and now I'm on the second incarnation of an XHTML/JS implementation that is showing some serious promise. No doubt I'll be hitting the list with some interesting questions in the near future. ;) Links: 1. http://www.urbandead.com/ -- // Todd -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] problem with mysql_real_escape_string()
[EMAIL PROTECTED] wrote: I moved my website from one php4/mysql4 based server to new hosting company and php5/mysq5 based server. Everything worked fine on old server, though now, on one page after I submit new record, I'll get this error: Warning: mysql_real_escape_string() [function.mysql-real-escape-string https://www.mydomain.com/function.mysql-real-escape-string ]: Access denied for user 'daemon'@'localhost' (using password: NO) in /srv/www/mydomain/add_record.php on line 30 Warning: mysql_real_escape_string() [function.mysql-real-escape-string https://www.mydomain.com/function.mysql-real-escape-string ]: A link to the server could not be established in /srv/www/mydomain.com/add_record.php on line 30 and this is a code: 26 if(isset($_POST['SubmitNewRecord'])) 27 { 28 foreach($_POST as $key = $value) 29 { 30 ${$key} = mysql_real_escape_string($value); 31 } 32 } Never got such a error message before. Check the archives - this was asked a few days ago. The mysql_real_escape_string function requires a connection to the database to be open. If one isn't open it will try to open one with the defaults. All you need to do is make sure you connect to the mysql database before using mysql_real_escape_string. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] problem with mysql_real_escape_string()
A little bit lower on php.net/manual I found explanation too. I'm sorry for bothering - wasn't check whole page before posting. The Warning was strange for me because never got it before :) Thanks for your help. -afan [EMAIL PROTECTED] wrote: I moved my website from one php4/mysql4 based server to new hosting company and php5/mysq5 based server. Everything worked fine on old server, though now, on one page after I submit new record, I'll get this error: Warning: mysql_real_escape_string() [function.mysql-real-escape-string https://www.mydomain.com/function.mysql-real-escape-string ]: Access denied for user 'daemon'@'localhost' (using password: NO) in /srv/www/mydomain/add_record.php on line 30 Warning: mysql_real_escape_string() [function.mysql-real-escape-string https://www.mydomain.com/function.mysql-real-escape-string ]: A link to the server could not be established in /srv/www/mydomain.com/add_record.php on line 30 and this is a code: 26 if(isset($_POST['SubmitNewRecord'])) 27 { 28 foreach($_POST as $key = $value) 29 { 30 ${$key} = mysql_real_escape_string($value); 31 } 32 } Never got such a error message before. Check the archives - this was asked a few days ago. The mysql_real_escape_string function requires a connection to the database to be open. If one isn't open it will try to open one with the defaults. All you need to do is make sure you connect to the mysql database before using mysql_real_escape_string. -Stut -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php