Member Avatar for onofej

hello everyone,
i have read through other post but could not resolve my issues. i need someone to see to my code. i am trying
mysql_real_escape_string for my datas. but the one without it can insert properly while the one with the mysql_escape does not. from my code, i am able to insert lastname into database but not the firstname. i connected to my database first because i read to use mysql_real_escape_string you have to be first connected.and i do not want to work without taking sql injection into account. could someone help please

include ('config.php');
if (isset($_POST['formsubmitted'])) {

    $dbc = @mysqli_connect($servername,$firstname,$dbpassword,$database );
    if (!$dbc) {
     trigger_error('no connection to MySQL: ' . mysqli_connect_error());
    }

    if (empty($_POST['firstname'])) { 
        $error[] = 'Please Enter a first name '; 
    } else {
        $firstname = mysql_real_escape_string( stripslashes( $_POST[ 'firstname' ] ) ); 


    }
    if (empty($_POST['lastname'])) { 
        $error[] = 'Please Enter a last name '; 
    } else {
         $lastname      =  $_POST[ 'lastname' ] ; 
    }
  • 2 Contributors
  • 4 Replies
  • 104 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by onofej

Recommended Answers

All 4 Replies

Member Avatar for diafol

Your using mysqli and then mysql. You'd be better off using a paramterized query.

Member Avatar for onofej

thanks but i have changed it to mysqli and still same. i am using this method as it enable me validate email and comapre 2 password properly. would you please give me an example of what the paramatised should look like?

include ('config.php');
if (isset($_POST['formsubmitted'])) {

    $dbc = @mysqli_connect($servername,$username,$dbpassword,$database );
if (!$dbc) {
 trigger_error('Could not connect to MySQL: ' . mysqli_connect_error());
}

    if (empty($_POST['firstname'])) { //if no name has been supplied
        $error[] = 'Please Enter a first name '; //add to array "error"
    } else {
        $firstname     = mysqli_real_escape_string( stripslashes( $_POST[ 'firstname' ] ) ); //else assign it a variable
    }
    if (empty($_POST['lastname'])) { //if no name has been supplied
        $error[] = 'Please Enter a last name '; //add to array "error"
    } else {
         $lastname      =  $_POST[ 'lastname' ] ; //else assign it a variable
    }

    if (empty($_POST['email'])) {
        $error[] = 'Please Enter your email ';
    } else {

        if (preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/",
            $_POST['email'])) {
            //regular expression for email validation
            $email         = mysql_real_escape_string( stripslashes( $_POST[ 'email' ] ) );
        } else {
            $error[] = 'Your email Address is invalid  ';
        }

    }
Member Avatar for diafol

Before using mysqli_* functions, read the php manual: http://php.net/manual/en/mysqli.real-escape-string.php

As opposed to mysql_* functions, you must include the link identifier. In addition, php has built-in email filters and sanitizers, so you don't need regex validation:

http://uk3.php.net/manual/en/filter.filters.validate.php
http://uk3.php.net/manual/en/filter.filters.sanitize.php

Also you can do away with the stripslashes as a rule. Depends what version of php you're using and if magic quotes are enabled.

For mysqli parameter binding: http://php.net/manual/en/mysqli-stmt.bind-param.php

Note than you need to enter the data type as a first parameter, e.g. 'si' for string then integer

Member Avatar for onofej

thanks for theinformation and for your time i will go through it

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.