mysql-real-escape-string - Solved!

Dawg · Posted: Thu Jan 19, 2012 7:29 pm

Guys I have a Stumper for you...

This is one PHP 5.3.8-2.el5.art, MYSQL 5.5.18-1.el5.art, RN 2.5
I can NOT get mysql_real_escape_string to work.

Example code....
I am sparing you the entire SQL statement. It works like a champ without mysql_real_escape_string.

Code:

list ($tid,$town_name,$rank) = $db->sql_fetchrow($result);
$tid = mysql_real_escape_string($tid);

From the server log file....
[Thu Jan 19 20:25:56 2012] [error] [client XX.XXX.XXX.XXX] PHP Warning: mysql_real_escape_string() [<a href='function.mysql-real-escape-string'>function.mysql-real-escape-string</a>]: Access denied for user 'apache'@'localhost' (using password: NO) in /complete_path/index.php on line 245, referer:

Only registered users can see links on this board!
Get registered or login to the forums!

[Thu Jan 19 20:25:56 2012] [error] [client XX.XXX.XXX.XXX] PHP Warning: mysql_real_escape_string() [<a href='function.mysql-real-escape-string'>function.mysql-real-escape-string</a>]: A link to the server could not be established in /complete_path/index.php on line 245, referer:

Only registered users can see links on this board!
Get registered or login to the forums!

There is a DB connection right above this in the SQL statement so it SHOULD use that connection.

Thank You for your time!

Dawg

If anyone has any ideas....Please let me know.

nuken · Posted: Thu Jan 19, 2012 7:50 pm

try using mysqli_real_escape_string

Dawg · Posted: Thu Jan 19, 2012 8:01 pm

I have...No Love.

Thanks for the try though....It is a STUMPER!

Dawg

nuken · Posted: Thu Jan 19, 2012 8:28 pm

Give the RN function $db->sql_escape_string() a try.

Dawg · Posted: Thu Jan 19, 2012 8:30 pm

Do you mean like this?

$tid = $db->sql_escape_string($tid);

Dawg · Posted: Thu Jan 19, 2012 8:32 pm

That worked....Should I use this in place of mysql_real_escape_string

I have never seen or heard of $db->sql_escape_string()

Dawg

nuken · Posted: Thu Jan 19, 2012 8:37 pm

I would. I is a built in RavenNuke db layer function that is used for mysqli_real_escape_string function.

Dawg · Posted: Thu Jan 19, 2012 8:46 pm

Got ya...THANK YOU! This has driven me NUTS for a couple of days!

Dawg

Raven · Posted: Thu Jan 19, 2012 8:52 pm

I am making this a sticky - thanks!

Dawg · Posted: Thu Jan 19, 2012 8:53 pm

Raven,

You might also want to move this to the 2.5 forum.

Dawg

fkelly · Posted: Thu Jan 19, 2012 9:04 pm

Oops ... thanks Dawg and Nuken for tracking this down. I had a problem report on modules I have written tonight about data not being saved. Tracked it down to this same cause. I know that I was using mysql_real_escape_string in the 2.5 code but just looked and Palbin must have globally changed it to the correct code. I guess I just missed where that was communicated. Nonetheless any customized modules that people are trying to run with 2.5 are going to run into problems until they are converted.

fkelly · Posted: Thu Jan 19, 2012 9:32 pm

Question for Palbin ... would it be possible to define a constant for the top of mysqli.php such that mysql_real_escape_string would continue to work, at least in compatibility mode? I really don't understand why the statement is not working presently in 2.5. Mysql_real_escape_string that is. It is "built-in" to PHP. I guess it is something about the connection working differently with the new database layer? But I don't understand it.

Palbin · Posted: Thu Jan 19, 2012 10:02 pm

The price of progress. There is nothing we can do short of adding ad additional db connection. Which would double the amount of connections a site needs.

Raven · Posted: Fri Jan 20, 2012 12:53 am

Dawg wrote:

Raven,

You might also want to move this to the 2.5 forum.

Dawg

I did that at the same time Wink

Palbin · Posted: Fri Jan 20, 2012 8:33 am

I know it was already stated here, but I would just like to say it again. Everyone needs to be using $db->sql_escape_string() so that we can avoid problems like this in the future.

montego · Posted: Sat Jan 21, 2012 8:45 am

Palbin, I have noticed even some new code was added in 2.5 which is using addslashes() still. Having been a part of many releases in the past, I completely understand why this is the case, so this is not a criticism but more a question. Should we (RN Team + Module developers) replace all our addslashes() with this new DB class method?

Palbin · Posted: Sat Jan 21, 2012 10:40 am

I would have to say yes.

fkelly · Posted: Sat Jan 21, 2012 10:51 am

While agreeing with Palbin, my greying head makes me want to say that we should have an approach to making global changes such as this that conserves resources rather than making multiple passes over the course of the 2.5 to 3.0 update. Including passes at code that we eventually eliminate.

Not to be obscure in saying this ... for example ... news/admin/index.php has a number of functions that overlap and are partially duplicative of each other. It needs to be totally refactored and where we have 8 functions (not an exact number) we should probably have one or two. So, if we are going to make distribution wide changes there we should first get rid of the extraneous code then make the changes rather than making global changes to code we eventually delete. (And I know that there are probably no addslashes left in that code I reference, but just for example).

In other words we need a plan and a timetable and not helter-skelter running around eliminating 7 zillion addslashes (look in the NS code if you want to see those).

montego · Posted: Sun Jan 22, 2012 8:31 am

@Palbin - ok. Thank you for the guidance.

@fkelly - I had started to give some suggestions on how to handle, but decided not to go more OffTopic

to the thread.

viper155 · Regular Joined: Feb 18, 2006 Posts: 99

I just upgraded our site and alot of our custom blocks are not working. Is this issue related to this post at all??

Code:

<?php

if (eregi("block-youtube-video-random.php",$PHP_SELF)) {
Header("Location: index.php");
die();
}

$res=mysql_query("SELECT tt_vids_videos.id, tt_vids_videos.url,
 tt_vids_videos.title
 FROM tt_vids_videos
 WHERE tt_vids_videos.active='1' AND tt_vids_videos.video_type='youtube' order by RAND() Limit 1") or die(mysql_error());

$myrow=mysql_fetch_array($res);
$v=getYoutubeVideoID($myrow[url]);

$content .= "<center>$myrow[title] <object width=\"135\" height=\"150\"><param name=\"movie\" value=\"http://www.youtube.com/v/$v";
$content .= '&rel=1&color1=0x3a3a3a&color2=0x999999&border=0"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/';
$content .= $v;
$content .= '&autoplay=0&rel=1&color1=0x3a3a3a&color2=0x999999&border=0" type="application/x-shockwave-flash" wmode="transparent" width="135" height="150"></embed></object></center>';



$content .= " <center><a href=\"modules.php?name=Youtube_Videos\">Click here for more videos</a></center>";

function getYoutubeVideoID($url) {
 $url_args=strstr($url, "?");
 $url_args=substr($url_args, 1);
 parse_str($url_args);
 return $v;
}

?>

What would I need to change if you can find anything in that code that is causing it not to work. Also on a few of our custom models we are also getting "Access denied for user 'apache'@'localhost' (using password: NO)" errors.

Palbin · Posted: Mon Feb 06, 2012 5:46 am

viper155, your problem is not exactly this problem, but is related. I do not have time this morning to fix this block, but I or someone will get to it. Please start other topics for your modules. It they are a lot of code please zip them up and post a link.

Dawg · Posted: Mon Feb 06, 2012 5:59 am

Try this...

I do not have a way of testing it to se what else is wrong...but...

Code:

<?php
if ( !defined('BLOCK_FILE') ) {
Header('Location: ../index.php');
die();
}
$res=mysql_query("SELECT tt_vids_videos.id, tt_vids_videos.url,tt_vids_videos.title FROM tt_vids_videos WHERE tt_vids_videos.active='1' AND tt_vids_videos.video_type='youtube' order by RAND() Limit 1") or die(mysql_error());
$myrow = $db->sql_fetchrow($res);
$v=getYoutubeVideoID($myrow['url']);
$content .= "<center>$myrow[title] <object width='135' height='150'><param name='movie' value='http://www.youtube.com/v/$v";
$content .= '&rel=1&color1=0x3a3a3a&color2=0x999999&border=0"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/';
$content .= $v;
$content .= '&autoplay=0&rel=1&color1=0x3a3a3a&color2=0x999999&border=0" type="application/x-shockwave-flash" wmode="transparent" width="135" height="150"></embed></object></center>';
$content .= " <center><a href='modules.php?name=Youtube_Videos'>Click here for more videos</a></center>";
function getYoutubeVideoID($url) {
$url_args=strstr($url, "?");
$url_args=substr($url_args, 1);
parse_str($url_args);
return $v;
}
?>

Dawg

nuken · Posted: Mon Feb 06, 2012 7:40 am

If that doesn't work for you, you can try this one:

Code:

<?php

if ( !defined('BLOCK_FILE') ) {
Header('Location: ../index.php');
die();
}

global $db;
$res=$db->sql_query("SELECT tt_vids_videos.id, tt_vids_videos.url,
tt_vids_videos.title
FROM tt_vids_videos
WHERE tt_vids_videos.active='1' AND tt_vids_videos.video_type='youtube' order by RAND() Limit 1") or die($db->sql_error());

$myrow=$db->sql_fetchrow($res);
$v=getYoutubeVideoID($myrow[url]);

$content .= "<center>$myrow[title] <object width=\"135\" height=\"150\"><param name=\"movie\" value=\"http://www.youtube.com/v/$v";
$content .= '&rel=1&color1=0x3a3a3a&color2=0x999999&border=0"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/';
$content .= $v;
$content .= '&autoplay=0&rel=1&color1=0x3a3a3a&color2=0x999999&border=0" type="application/x-shockwave-flash" wmode="transparent" width="135" height="150"></embed></object></center>';

$content .= " <center><a href=\"modules.php?name=Youtube_Videos\">Click here for more videos</a></center>";

function getYoutubeVideoID($url) {
$url_args=strstr($url, "?");
$url_args=substr($url_args, 1);
parse_str($url_args);
return $v;
}
?>

Dawg · Posted: Mon Feb 06, 2012 8:08 am

Nuken,

You are correct. I did not declare db and fix the sql statement.

If it hard to fix things you can NOT run to see what happens.

Dawg

nuken · Posted: Mon Feb 06, 2012 8:46 am

very true....