Why mysql_real_escape_string not working in this code?

Question

Why mysql_real_escape_string not working in this code ?

Normally, when load page input will be look like this.

http://image.free.in.th/v/2013/ie/160812064246.jpg

But When you load page www.example.com/test.php?value_1=">

Why input look like this.

http://image.free.in.th/v/2013/ia/160812064312.jpg

How can i do ?

test.php

<?PHP
include("connect.php");
$ex_search_value = mysql_real_escape_string($_GET['value_1']);
?>

<input placeholder="PLEASE ENTER" value="<?PHP echo $ex_search_value; ?>" style=" margin: 0px; width: 810px;height: 33px;line-height: 17px;line-height: 33px\0;^line-height: 33px;padding: 0px;margin-right: -1px;padding-left: 5px;-webkit-box-shadow: 0 2px 3px rgba(0,0,0,0.1);-moz-box-shadow: 0 2px 3px rgba(0,0,0,0.1); box-shadow: 0 2px 3px rgba(0,0,0,0.1); ">

You have to pass connection variable in `mysql_real_escape_string` — Saurabh, Aug 12 '16 at 06:44
[The Great Escapism (Or: What You Need To Know To Work With Text Within Text)](http://kunststube.net/escapism/) — deceze, Aug 12 '16 at 08:32

score 1 · Answer 1 · edited May 23 '17 at 12:01

mysql_real_escape_string escapes data so you can safely put it in an SQL query that you then send to MySQL. (NB: mysql_real_escape_string is part of an obsolete API you should have stopped using about half a decade ago.)

value="<?PHP echo $ex_search_value; ?>"

That is not SQL. That is HTML, which you send to a web browser.

HTML is a different language to SQL. The escaping rules are different, not even subtly different, they are completely different.

You need to use htmlspecialchars() to escape data so it is suitable for inserting into HTML.

Babajide Apata · Answer 2 · 2016-08-12T08:29:12.663

mysql API is deprecated, you really should not be using it try to use mysqli

this is the syntax mysqli_real_escape_string(connection,escapestring); it takes the connection object and the string you want to escape

a good example is this

<?php
   $con=mysqli_connect("localhost","my_user","my_password","my_db");
   // Check connection
   if (mysqli_connect_errno()) {
      echo "Failed to connect to MySQL: " . mysqli_connect_error();
   }

  // escape variables for security
  $firstname = mysqli_real_escape_string($con, $_POST['firstname']);
  $lastname = mysqli_real_escape_string($con, $_POST['lastname']);
  $age = mysqli_real_escape_string($con, $_POST['age']);

  $sql="INSERT INTO Persons (FirstName, LastName, Age)
  VALUES ('$firstname', '$lastname', '$age')";

  $query = mysqli_query($con, $sql);

  if (!mysqli_query($con,$sql)) {
    die('Error: ' . mysqli_error($con));
  }
  echo "1 record added";
  mysqli_close($con);
?>

Absolutely wrong, `mysql_real_escape_string` can be the worst thing ever but it takes only 1 argument, not 2. Function used here is `mysqli` based — Hanky Panky, Aug 12 '16 at 07:35

Why mysql_real_escape_string not working in this code?

2 Answers2