-2

I made login/register script and on my localhost everything work ok, but when I upload script to server then when I use mysql_real_escape function I get empty string. Why is this function different on localhost and real server. This is my code

//functions.php

<?php
   function clean($data){
      return mysql_real_escape_string($data);
   }
?>

//otherFile.php

<?php

   include 'functions.php';
   $user = $_POST['username'];
   $pass = encrypt($_POST['password']);
   $rem = $_POST['remember'];

   $user = clean($user);
   $pass = clean($pass);
   $rem = clean($rem);

?>
Alen
  • 897
  • 2
  • 15
  • 33

2 Answers2

0
<?php
   function clean($data){
      return mysql_real_escape_string($temp);
   }
?>

you are passing one variable and return another

Edit Are you connecting with mysql? For this function to work,you need mysql_connect,not mysqli_connect.

Use mysqli_real_escape_string Doc

Mihai
  • 26,325
  • 7
  • 66
  • 81
  • Sorry, it was typo, I edited my question. EDIT Yes, I connect with mysql, I only posted block of code where I think the error is – Alen Nov 23 '13 at 22:20
0

mysql_real_escape_string() requires a valid database connection to be present (it should be the connection that you're using to insert the cleaned data into the database). If no connection exists, false will be returned.

Make sure you have a database connection running.

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • Ok, so in my every php file, first I include connection.php which is for mysqli connect, and then functions.php where you can find clean() funtion, so if I first include functions.php then connection.php, will it work? – Alen Nov 23 '13 at 22:26
  • If you call `clean()` after you initialize the database connection, it should work. – Pekka Nov 23 '13 at 22:27
  • 1
    @Alen If you are using mysqli, why in gods name are you using `mysql_real_escape_string`?! – deceze Nov 23 '13 at 22:39
  • I see your point, but if I put mysqli_real_escape_string then I get empty string, and with mysql_real_escape_string my string is properly ecaped although I use mysqli. I'm still php noob so if you have advice about this, share it with me. @deceze – Alen Nov 23 '13 at 23:00
  • 1
    @Alen never use a different library's escape function. It is vital that you use the correct one, with a valid database connection – Pekka Nov 23 '13 at 23:05
  • 1
    @Alen Get away from the idea of a global "`clean()`" function, it's fundamentally flawed. Read http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php and http://kunststube.net/escapism. – deceze Nov 24 '13 at 07:26