0 







Atomic Number
Latin
English
Abbreviation





* check the variables for content */


/*** a list of filters ***/
$filters = array(
'searchtext' => array( 'filter' => FILTER_CALLBACK, 'options'  => 'mysql_real_escape_string'),
'fieldname'  => array( 'filter' => FILTER_CALLBACK, 'options'  => 'mysql_real_escape_string')
);

/*** escape all POST variables ***/
$input = filter_input_array(INPUT_POST, $filters);

/*** check the values are not empty ***/
if(empty($input['fieldname']) || empty($input['searchtext']))
    {
    echo 'Invalid search';
    }
else
    {
    /*** mysql hostname ***/
    $hostname = 'localhost';

    /*** mysql username ***/
    $username = 'username';

    /*** mysql password ***/
    $password = 'password';

    /*** mysql database name ***/
    $dbname = 'periodic_table';

    /*** connect to the database ***/
    $link = @mysql_connect($hostname, $username, $password);

    /*** check if the link is a valid resource ***/
    if(is_resource($link))
        {
        /*** select the database we wish to use ***/
        if(mysql_select_db($dbname, $link) === TRUE)
            {
            /*** sql to SELECT information***/
        $sql = sprintf("SELECT * FROM elements WHERE %s = '%s'", $input['fieldname'], $input['searchtext']);

        /*** echo the sql query ***/
        echo '<h3>'.$sql.'</h3>';

            /*** run the query ***/
            $result = mysql_query($sql);

            /*** check if the result is a valid resource ***/
            if(is_resource($result))
                {
                /*** check if we have more than zero rows ***/
                if(mysql_num_rows($result) !== 0)
                    {
            echo '<table>';
                    while($row=mysql_fetch_array($result))
                        {
                        echo '<tr>
                        <td>'.$row['atomicnumber'].'</td>
                        <td>'.$row['latin'].'</td>
                        <td>'.$row['english'].'</td>
                        <td>'.$row['abbr'].'</td>
                        </tr>';
                        }
            echo '</table>';
                    }
                else
                    {
                    /*** if zero results are found.. ***/
                    echo 'Zero results found';
                    }
                }
            else
                {
                /*** if the resource is not valid ***/
                'No valid resource found';
                }
            }
        /*** if we are unable to select the database show an error ****/
        else
            {
            echo 'Unable to select database '.$dbname;
            }
        /*** close the connection ***/
        mysql_close($link);
        }
    else
        {
        /*** if we fail to connect ***/
        echo 'Unable to connect';
        }
    }
}

else { echo 'Please Choose An Element'; } ?>

I got this code from phppro.org tutorials site and i tried to run it. It gives Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established. .... Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'@'localhost' (using password: NO)....

I went to php.net and look it up "Note: A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used."

My questions are: 1-why they put single quotation around mysql_real_escape_string ? 2-They should establish a connection first, then use the $filter array statement with mysql_real_escape_string ?

Improve this question
3
  • @Col.Shrapnel: Nope, the whole filter_input_array() thingy is supposed to invoke real_escape_string on each element of _POST and store the result in $input. If it worked as intended there would be no sql injection vulnerability. Commented Mar 24, 2010 at 22:47
  • @VolkerK So what? real_escape_string is not a magic spell that makes you "safe". Commented Mar 24, 2010 at 22:57
  • I mean take a closer look at the WHERE clause ;) Commented Mar 25, 2010 at 4:11

3 Answers 3

Reset to default
2

Your problem here is not with mysql_real_escape_string. Your problem is with the fact that you don't have a connection to a server. Do you have a database 'periodic_table' running locally with 'username' and 'password' for your login credentials?

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Move the $input = filter_input_array(INPUT_POST, $filters); line after if(is_resource($link))
Man, even phppro tutorials does not work so i guess no one on is PRO and why would people put up tutorials that does not work.
0
  1. they used function name as a parameter for the another function.
  2. Yes
Improve this answer

Comments

0

I think mysql_real_escape_string needs a connection so it knows what charset is used.

also in php, single quotes are faster then double quotes as php doesn't have to process the contents of thr string looking for $varname etc.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.