Do a [man]print_r/man on $_REQUEST - what does it look like? Is there a 'mesg' element?

Where is $subject ever defined?

bradgrafelman;10959414 wrote:

Do a [man]print_r/man on $_REQUEST - what does it look like? Is there a 'mesg' element?

Where is $subject ever defined?

$subject is defined some lines up:

if( isset($_REQUEST['subject']) )
   $subject = $_REQUEST['subject'];
else
   $subject = 'No Subject';

print_r($_REQUEST):

Array ( [action] => saveticket [source] => System [cust_id] => 1144 [name] => name is here [cat] => 2 [subject] => [mesg] => message goes here [priority] => 1 [PHPSESSID] => 1a2067d24c6429aadce3fc31dc613c1a )

The code works correctly on my test machine but, not on the other one.

I tried using addslashes() instead and it works. Weird.

Any explanation on why mysql_real_escape_string() didn't work?

Thanks.

you have full error checking on? you have to connect to a db before calling mysql_real_escape_string().

You marked the thread resolved, but never responded... was dagon's question related to the solution?

Also note that you should never use [man]addslashes/man to prepare data for a SQL query (unless you're somehow stuck with a DBMS that provides no specific escaping function/method).

I marked it resolved since I used addslashes() and it worked.

Theres already a connection before calling mysql_real_escape_string(). As I mentioned before, the script works fine on my test machine and not on the server I need it to run on.

If I shouldn't use addslashes() then, how can I resolve the mysql_real_escape_string() problem I have?

Thanks.

landysaccount wrote:

how can I resolve the mysql_real_escape_string() problem I have?

Do you have error_reporting set to E_ALL and display_errors set to On?

Looks like here's the problem after seting error_reporting to E_ALL now I get this:

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'www-data'@'localhost' (using password: NO) in /home/landysaccount/optimum/owsTicket/ticket-save.php on line 29

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/landysaccount/optimum/owsTicket/ticket-save.php on line 29

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'www-data'@'localhost' (using password: NO) in /home/landysaccount/optimum/owsTicket/ticket-save.php on line 29

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/landysaccount/optimum/owsTicket/ticket-save.php on line 29

I'm not using an user www-data for mysql.

I'm using this little class to connect to mysql:

<?php

// Class db: Connects to database and returns linkid.
class DB{

  var $sqlhost; 
  var $sqluser;
  var $sqlpass;
  var $sqldb;
  var $err;
  var $status;
  var $num_rows;
  var $result;
  var $rows     = Array();
  var $last_insert_id;

  function DB( $query ){

$this->sqlhost  = "localhost";
$this->sqluser  = "username";
$this->sqlpass  = "";
$this->sqldb    = "optimum";

$this->query    = $query;

$this->__Connect__();
$this->__TalkToDB__();

  }// end constructor Session


///////////////////////////////////////// 
  function __Connect__(){
      //connect to mysql
      $this->linkid = mysql_connect( $this->sqlhost, $this->sqluser, $this->sqlpass );

  if( $this->linkid ){
    $this->result = mysql_select_db( $this->sqldb, $this->linkid );
  }
  else
    $this->err = "Could not connect to MySQL server";
}// end Connect function
/////////////////////////////////////////    

  function __TalkToDb__(){

  $this->result = mysql_query( $this->query, $this->linkid );

  if( !$this->result ){
    echo ( "Query: '" . $this->query . "', failed with error message: -- " . mysql_error() . " --" );
  }     
  }// end TalkToDb function
//////////////////////////////////////////

  function __CountRows__(){
      $this->num_rows = mysql_num_rows( $this->result );

  return $this->num_rows;

  }

//////////////////////////////////////////  

  function __LastInsertedId__()
  {
    return mysql_insert_id( $this->result );
  }


}// end class definition



$query = "insert into ows_ticket( id, cust_id, name, cat, priority, source, rep, subj, problem ) " .
              "values ( $id, $cust_id, '" . $_REQUEST['name'] . "', " . $_REQUEST['cat'] . 
              ", '" . $_REQUEST['priority'] . "', '" . $_REQUEST['source'] . "', '" . $_SESSION['SESS_LOGIN'] . 
              "', '" .mysql_real_escape_string( $subject ). "', '" .  mysql_real_escape_string( $_REQUEST['mesg'] ) . "')";



$save = new DB($query);
?>

You're not connecting to the db, before calling mysql_real_escape_string, so its trying to make a connection and failing.

Ok. I did some changes to the class and got it working:

// Class db: Connects to database and returns linkid.
class DB{

  var $sqlhost; 
  var $sqluser;
  var $sqlpass;
  var $sqldb;
  var $err;
  var $status;
  var $num_rows;
  var $result;
  var $linkid;
  var $query;
  var $rows     = Array();
  var $last_insert_id;

  function DB( $query="" ){

$this->sqlhost  = "localhost";
$this->sqluser  = "whernandez";
$this->sqlpass  = "";
$this->sqldb    = "optimum";

$this->query    = $query;

if( $this->query == "" ){
  $this->__Connect__();
}
else{
  $this->__Connect__();
  $this->__TalkToDB__();
}




  }// end constructor Session


///////////////////////////////////////// 
  function __Connect__(){
      //connect to mysql
      $this->linkid = mysql_connect( $this->sqlhost, $this->sqluser, $this->sqlpass );

  if( $this->linkid ){
    $this->result = mysql_select_db( $this->sqldb, $this->linkid );
  }
  else
    $this->err = "Could not connect to MySQL server";
}// end Connect function
/////////////////////////////////////////    

  function __TalkToDb__(){

  $this->result = mysql_query( $this->query, $this->linkid );

  if( !$this->result ){
    echo ( "Query: '" . $this->query . "', failed with error message: -- " . mysql_error() . " --" );
  }     
  }// end TalkToDb function
//////////////////////////////////////////

  function __CountRows__(){
      $this->num_rows = mysql_num_rows( $this->result );

  return $this->num_rows;

  }

//////////////////////////////////////////  

  function __LastInsertedId__()
  {
    return mysql_insert_id( $this->result );
  }


/////////////////////////////

$s = new DB();

$query = "insert into ows_ticket( id, cust_id, name, cat, priority, source, rep, subj, problem ) " .
          "values ( $id, $cust_id, '" . $_REQUEST['name'] . "', " . $_REQUEST['cat'] . 
          ", '" . $_REQUEST['priority'] . "', '" . $_REQUEST['source'] . "', '" . $_SESSION['SESS_LOGIN'] . 
          "', '" . mysql_real_escape_string( $subject, $s->linkid ). "', '" .  mysql_real_escape_string( $_REQUEST['mesg'], $s->linkid ) . "')";


$save = new DB($query);



}// end class definition

This works without warnings/errors and saves the record correctly. I don't know if is the best way to do it but, it works. If anyone has any suggestions throw it this way.

Thanks.