mysql_real_escape_string() just makes an empty string?
Solution 1
Are you 1000% sure that $_POST["likeMsg"]
actually contains something?
As for mysql_real_escape_string()
returning an empty value, the manual says there is only one situation where that can happen:
Note: A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used.
this doesn't seem to be the case here though, as you do have a connection open. Strange.
Solution 2
As the other answers don't make clear what exactly to do, here's my:
When you do
$db_connection = new mysqli($SERVER, $USERNAME, $PASSWORD, $DATABASE);
you need to escape like this:
$newEscapedString = $db_connection->real_escape_string($unescapedString);
NOTE: Because people are downvoting this (WTF!?), here's the official page of the official php manual that says EXACTLY what i have posted: real_escape_string @ PHP Manual.
Solution 3
For people who might be finding this again now, I just ran into this problem as I'm migrating from PHP5 to PHP7. I'm changing from
string mysql_real_escape_string(string $unescaped, [resource $link = NULL])
to:
string mysqli_real_escape_string(mysqli $link, string $escapestr)
So, in other words, the database $link is no longer optional and moves to the first argument position. If left out, it returns an empty string, without an error, apparently.
Solution 4
Do a var_dump of $_POST['likeMsg'], and a var_dump of $likeMsg. That gives you information on what goes wrong.
VIVA LA NWO
Updated on June 11, 2022Comments
-
VIVA LA NWO almost 2 years
I am using a jQuery AJAX request to a page called
like.php
that connects to my database and inserts a row. This is thelike.php
code:<?php // Some config stuff define(DB_HOST, 'localhost'); define(DB_USER, 'root'); define(DB_PASS, ''); define(DB_NAME, 'quicklike'); $link = mysql_connect(DB_HOST, DB_USER, DB_PASS) or die('ERROR: ' . mysql_error()); $sel = mysql_select_db(DB_NAME, $link) or die('ERROR: ' . mysql_error()); $likeMsg = mysql_real_escape_string(trim($_POST['likeMsg'])); $timeStamp = time(); if(empty($likeMsg)) die('ERROR: Message is empty'); $sql = "INSERT INTO `likes` (like_message, timestamp) VALUES ('$likeMsg', $timeStamp)"; $result = mysql_query($sql, $link) or die('ERROR: ' . mysql_error()); echo mysql_insert_id(); mysql_close($link); ?>
The problematic line is
$likeMsg = mysql_real_escape_string(trim($_POST['likeMsg']));
. It seems to just return an empty string, and in my database under thelike_message
column all I see is blank entries. If I removemysql_real_escape_string()
though, it works fine.Here's my jQuery code if it helps.
$('#like').bind('keydown', function(e) { if(e.keyCode == 13) { var likeMessage = $('#changer p').html(); if(likeMessage) { $.ajax({ cache: false, url: 'like.php', type: 'POST', data: { likeMsg: likeMessage }, success: function(data) { $('#like').unbind(); writeLikeButton(data); } }); } else { $('#button_container').html(''); } } });
All this jQuery code works fine, I've tested it myself independently.
Any help is greatly appreciated, thanks.
-
VIVA LA NWO almost 14 yearsI read that when I google'd the problem. I have initiated a database connection before using
mysql_real_escape_string()
though. -
Pekka almost 14 years@James then it must be that data itself. Can you show a dump of
$_POST
? -
Pekka almost 14 years@James alternatively, can you try explicitly specifying the connection as a parameter?
-
Paschalis almost 12 yearsi was on that only situation!
-
Ryhan over 10 years+1 I viewed the docs. Maybe people are more use to seeing the procedural form rather than the object oriented form.