1

I began learning to code a few days ago and I am having some issues with mysql_real_escape_string, specifically with a login.php.

The error messages:

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'elegant'@'localhost' (using password: NO) in /home/elegant/public_html/php/login.php on line 3

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the     server could not be established in /home/elegant/public_html/php/login.php on line 3

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'elegant'@'localhost' (using password: NO) in /home/elegant/public_html/php/login.php on line 4

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/elegant/public_html/php/login.php on line 4
Please enter a username and a password

Here is the code I have so far -- this code worked in localhost but once I put it online and imported the database tables, it gave me some issues:

<?php

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

if ($username&&$password)

{

$connect = mysql_connect("localhost","elegant_root","password;1") or die("Couldn't             connect!");
mysql_select_db("elegant_ezworkstation") or die("Couldn't find database");

$query = mysql_query("SELECT * FROM users WHERE username=$username");

$numrows = mysql_numrows($query);

if ($numrows!=0)
{

while ($row = mysql_fetch_assoc($query))
{

    $dbusername = $row['username'];
    $dbpassword = $row['password'];

}

if ($username==$dbusername&&$password==$dbpassword)
{

    echo "You're in";

}
else
    echo "Incorrect password!";

}
else
die("That user doesn't exist");

}

else
die("Please enter a username and a password");

?>

EDIT: I changed to mysqli and I got these errors:

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/elegant/public_html/php/login.php on line 3

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/elegant/public_html/php/login.php on line 4
Mat
  • 202,337
  • 40
  • 393
  • 406
TheHappyPeanut
  • 17
  • 4
  • 1
    You need `mysql connection` before you call `mysql_real_escape_string` ... put it after the connection `mysql_connect` – Baba Oct 25 '12 at 14:26
  • Rewrite your code and use `mysqli_()` – Mr. Alien Oct 25 '12 at 14:26
  • 3
    If you're learning to code, don't learn from any tutorials that use mysql.... look for tutorials that use mysqli or (better still) PDO – Mark Baker Oct 25 '12 at 14:31
  • I'm wondering what resource you're using that sent you down the path of using `mysql_query` in 2012. – tadman Oct 25 '12 at 14:33
  • Please, don't use `mysql_*` functions to write new code. They are no longer maintained and the community has begun [deprecation process](http://goo.gl/KJveJ). See the *[red box](http://goo.gl/GPmFd)*? Instead you should learn about [prepared statements](http://goo.gl/vn8zQ) and use either [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli). If you can't decide which, [this article](http://goo.gl/3gqF9) will help you. If you pick PDO, [here is good tutorial](http://goo.gl/vFWnC) – Anthony Hatzopoulos Oct 25 '12 at 14:59

1 Answers1

5

Putting mysql_real_escape_string() after you connect to the db will work fine.

However, you should shift to mysqli or PDO. MySQL is deprecated now. A few links to help you out

  1. Moving from mysql to mysqli or pdo?
  2. mysqli or PDO - what are the pros and cons?

The equivalent commands in mysqli and PDO for escaping would be mysqli_real_escape_string() and PDO::quote() respectively.

As people are pointing out, PDO is definitely the better alternative. Here is an answer I previously wrote comparing PDO with others.

PDO - real facts and best practice?

And another advantage of this will be that you don't need to use escaping functions if you use prepared statements with named parameters.

Community
  • 1
  • 1
abhshkdz
  • 6,335
  • 1
  • 21
  • 31
  • The thing about PDO and `mysqli` is you really don't need to use the SQL escaping functions directly if you use placeholders, which is really the *only* way to be safe. – tadman Oct 25 '12 at 14:33
  • I edited it so that it is using mysqli_real_escape_string() but now I get these error messages: Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/elegant/public_html/php/login.php on line 3 Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/elegant/public_html/php/login.php on line 4 – TheHappyPeanut Oct 25 '12 at 14:34
  • Please go through the official documentation [here](http://www.php.net/manual/en/mysqli.real-escape-string.php) and see what you are missing. – abhshkdz Oct 25 '12 at 14:37