I have a problem with mysql_real_escape_string. I use ezSQL to connect with MySQL.
Problem:
mysql_real_escape_string($username) and mysql_real_escape_string($password) turns empty.
Code:
$row = $db->get_row("SELECT firstname, secondname, id FROM users WHERE login='".mysql_real_escape_string($username)."' AND password='".mysql_real_escape_string($password)."'");
Work-around:
Putting mysql_real_escape_string BEFORE or inside $row makes the value empty. Putting mysql_real_escape_string AFTER $row makes it work. Hence; Have another $db in front of the exsisting $row:
$row2 = $db->get_row("SELECT firstname, secondname, id FROM users");
$row = $db->get_row("SELECT firstname, secondname, id FROM users WHERE login='".mysql_real_escape_string($username)."' AND password='".mysql_real_escape_string($password)."'");
Question:
How can i properly fix this?
ezsql has its own escape method you should be using – Dagon
Thank you, this solved my question! I have updated my code to:
$password = $db->escape($_POST['password']);
$username = $db->escape($_POST['username']);
$row = $db->get_row("SELECT firstname, secondname, id FROM users WHERE login='".$username."' AND password='".$password."'");
I will work towards upgrading to MySQLi later. I know that ezSQL also offers a MySQLi component. Thanks for your suggestions Destruction, meda and Christophe Ferreboeuf!