[RESOLVED] my_sql_real_escape_string() error

Tezread

Im not sure how to contend with this error message:

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user: 'root@localhost' (Using password: NO) in /disk1/home3/mindseye/public_html/common_functions.php on line 12
Here is the code the message refers to:



<?php    

// Quote variable to make safe 
function quote_smart($value) 
{ 
   // Stripslashes 
   if (get_magic_quotes_gpc()) { 
       $value = stripslashes($value); 
   } 
   // Quote if not integer 
   if (!is_numeric($value)) { 
       $value = "'" . mysql_real_escape_string($value) . "'"; 
   } 
   return $value; 
} 
?>

thx in advance

rincewind456

That's a function from the PHP manual and can't be causing the error you have.

You need the next part of the manuals example

// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
   OR die(mysql_error());

// Make a safe query
$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s",
           quote_smart($_POST['username']),
           quote_smart($_POST['password']));

mysql_query($query);
?>

in order to connect to the Database.

Roger_Ramjet

Well, you are correct there rincewind, up to a point

I gave him that code, but assumed he already had his db connect include in place, after all, the main script is parsing the data for insert into the db. This is just to protect from sql injection attacks.
We are processing all the $_POST vars with it, then storing them in session vars so that the form handler has them available, it's a multi-page form. This function is in a common functions file that is included, and the function is not called when the query is run as the data has already been pre-processed for building the insert query with string concatenation.

Could not figure what is going on myself so I told Tez to post a new thread here where better brains than mine could help.

Tez, you'll have to post ALL the code, I mean all pages and any includes (but change your domain, user and password) so people can really see what you are doing. Zip them up and attach them.

Tezread

The resulting error is for the above code being pasted into common_functions.php

// Connect $link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password') OR die(mysql_error()); // Make a safe query $query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s", quote_smart($POST['username']), quote_smart($POST['password'])); mysql_query($query); ?>
Fatal error: Call to undefined function: quote_smart() in /disk1/home3/mindseye/public_html/nottsvcs_placeyourorganisation_short.php on line 13

Tezread

OK here goes: This is the the first page of the multipage form. The code on top is used in each part of the multipage form:


<?php 

require_once('common_functions.php'); // includes the quote_smart function 

if (isset($_POST['submit'])) { 

foreach ($_POST as $key=>$val) { 

// build the column name list 
$_SESSION['cols'] .= $key . ','; 
// and the values list 
$_SESSION['vals'] .= quote_smart($val) . ','; 

} 
} 
?>

This is common_functions.php

<?php
// Connect to db
include("connect.php");

// I am not showing you my host user and password but I have put them in honest!
$link = mysql_connect('host', 'user', 'password') 
   OR die(mysql_error()); 

// Make a safe query 

$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s", 
           quote_smart($_POST['username']), 
           quote_smart($_POST['password'])); 

mysql_query($query); 
?>

and this is the formhandler at the end of the multipage form

<?php 
session_start();

require_once('common_functions.php'); // includes the quote_smart function 

if (isset($_POST['Submit'])) { 

foreach ($_POST as $key=>$val) { 

// build the column name list 
$_SESSION['cols'] .= $key . ','; 
// and the values list 
$_SESSION['vals'] .= quote_smart($val) . ','; 

} 
} 
include("connect.php"); 

$strcols = rtrim($_SESSION['cols'], ',');    

$strvals = rtrim($_SESSION['vals'], ','); 
//now echo them just for debugging 
echo $strcols; 
echo $strvals; 
//remove the echos once it is working 

$sql = "INSERT INTO nottsvcs (" . $strcols . ") VALUES (" . $strvals . ")"; 

echo $sql; 

?>

Latest error message reads:

Fatal error: Call to undefined function: quote_smart() in /disk1/home3/mindseye/public_html/common_functions.php on line 11

Also note the previous error messages early on in this posted thread.

If anyone can help I would be grateful. Thx in advance

rincewind456

The error message is quite clear it can't find the function quote_smart() which should be in your common_functions file.

If the code in your previous post is complete then you need to add the code from your first post in this thread to your common_functions.php file.