this code is supposed to ensure that clean code gets to the database
it is supposed to work in earlier versions of PHP (earlier than 4.3.0) and later versions of php (older than 4.3.0)
it works well because the data gets to the database without a problem but i get an error on the browser
$menu_name = mysql_prep($_POST['menu_name']);
is how i call the mysql_prep function
function mysql_prep($value)
{
$get_magic_quotes = get_magic_quotes_gpc();
$new_enough_php = function_exists ("mysql_real_escape_string"); //check if php version is greater than 4.3.0
if($new_enough_php) // if php is of a newer version
{
//undo magic quotes effect so that mysql_real_escape_string can work well
if ($get_magic_quotes)
{
$value = stripslashes ($value);
}
$value = mysql_real_escape_string($value);
}
else //mysql is older than 4.3.0
{
//add slashes manually if magic quotes are off
if(!$get_magic_quotes)
{
$value = addslashes ($value);
}
//if magic quotes already exist, slashes already exists
}
return $value;
//$value = mysql_real_escape_string($value);
//$value_without_slashes = stripslashes ($value);
//return $value_without_slashes;
}
For starters, that function could be shortened to about 5 lines (it would be easier to read, too).
Secondly, are you connected to MySQL when you call that function? You must be connected for PHP to know how/what to escape. It's not 100% clear from the manual for mysql_real_escape_string
, but it is implied:
If the link identifier is not specified, the last link opened by
mysql_connect()
is assumed. If no such link is found, it will try to create one as ifmysql_connect()
was called with no arguments.
If that still doesn't solve it, I suggest printing the query prior to executing it and checking everything is in order.