0

I have this code:

$query = "select id from votes where username = '$user' and article_id  = $this->id";

I tried this code to sanitize it:

$query = sprintf("select id from votes where username = '$user' and article_id = $this->id", 
    mysql_real_escape_string($user), 
    mysql_real_escape_string($password));

but I get this error for the mysql_real_escape lines:

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'mexautos'@'localhost' (using password: NO) in /home/mexautos/public_html/kiubbo/data/article.php on line 145 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/mexautos/public_html/kiubbo/data/article.php on line 145 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'mexautos'@'localhost' (using password: NO) in /home/mexautos/public_html/kiubbo/data/article.php on line 146 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/mexautos/public_html/kiubbo/data/article.php on line 146

I get the user name here, I dont know if its safe enough:

function getUsername(){ return $this->username; }

Thx

Improve this question

7 Answers 7

Reset to default
8

You need a mysql connection before you can use mysql_real_escape_string.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I do have connection, I mean the site works and connects to the db, before inserting those lines. Thx.
That's not what the error is saying! Try using your link identifier as the second argument for your mysql_real_escape_strings and see if that helps.
7

I would suggest using prepared statements for this instead of sprintf

Improve this answer

2 Comments

Great idea if the mysql interface supported them. He would need to switch to mysqli or PDO to use prepared statements.
If he's using PHP 5 or greater mysqli is included
3

Not sure if this is what's causing your problem, but I believe the variables in your sprintf statement shouldn't be '$user' and '$this->id', but they should be '%s'

https://www.php.net/sprintf

Improve this answer

3 Comments

Not to mention that he is trying to replace an article_id with a variable called $password.
Why use sprintf() at all - PHP has variable interpolation in strings. OTOH, a SQL statement built with sprintf() is just as unsafe as an interpolated one... Both methods should be avoided.
@Tomalak - I know, but was merely highlighting a bug in his code, not proposing a better method.
3

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'mexautos'@'localhost' (using password: NO)

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established

Did you check the link ? Is it active ? You need to be connected before to use mysql_real_escape_string() Don't you forget to set the password ?

Try:

mysql -u mexautos -p

(type Enter if no password)

Also, check out your sprintf() function, you need to use the %s to bind your variable

$a = 'Foo';
$b = 'Bar';
$foo = sprintf('Foo Bar %s %s', $a, $b);
Improve this answer

1 Comment

Trying to connect throught the console is a way to check the privilege in raw way !
2

You need a connection to use mysql_real_escape_string() because it uses the server's encoding type to help santitize.

Also the sprintf() should look something like this

$query = sprintf("SELECT id FROM votes WHERE username = '%s' and article_id = %d", 
    mysql_real_escape_string($user), 
    mysql_real_escape_string($password));
Improve this answer

1 Comment

In mine, I wasn't sure if the id was necessarily an integer, so I just went with a string format.
1

I'd recommend using a mature DB abstraction layer like Zend_Db (there are tons of them out there). Implementing your own homebrew solution is not something I'd recommend for a production system.

Improve this answer

Comments

0

Like the other said, not '$user' but '%s' and you need an open connection.

@Tomalak sprintf is faster - that's the reason why to use it - it is a native C function.

Improve this answer

2 Comments

sprintf is faster than what? When interacting with the database, that's not an especially good reason...
sprintf is faster than build PHP string interpolation, and it wasn't related whit the database subject, but whit Tomalak's comment.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.