Mysql_real_escape_string result empty

Hi there,
I try for the first time making secure queries, and don’t succed.
I have a form and get the data from there with POST, no problem.
here is the code making problems:

if(isset($_REQUEST['newtopic']))
{
    $newt = $_REQUEST['newtopic'];
    echo $newt;
    $newtopic = mysql_real_escape_string($newt);
    echo $newtopic;
}

$newt brings the desired “Test”, but $newtopic is blank.
But I also saw there are other ways to secure the handling with MySQL, like prepared statements. i will take a look at that too.
But the question remains: why does a common function deliver an empty string?
Thanks in advance,

The method you are trying is obsoloete.
The mysql functions have been removed from PHP, so they won’t work in any currently supported version. For them to work you would have to use an obsolete version which is no longer supported and getting any security updates.

Instead you must use either mysqli of PDO to communicate with the database in PHP. I would recommend PDO.
The modern way to make your queries secure is to use prepared statements. No one uses escape strings anymore.

Serach for some info on starting with PDO and prepared statements.
I’m sure there will be more questions to follow…

1 Like

Thank you SamA74.
Well questions may follow :slight_smile:
I understand the concept of prepared statements I believe. But the hard parts are often hidden in the details.

Give it a go, I’m sure you’ll pick it up. Only one way to find out, anyway.

1 Like

Like many things, it’s simple once you know how.
PDO can seem daunting if you are used to using proceedural methods, but once you find your feet it’s a pleasure to use.

As a basic look at prepared statements, it’s a two step process to prepare then execute.
The query is prepared, with placeholders in place of values.
Then is is executed, passing the values in as an array.

Placehlders can be named using :valueName syntax, with the data being an associative array with keys matching the value names.

$sql = $read->prepare("SELECT * FROM user WHERE user_id = :user_id");
$sql->execute([':user_id' => $id]);

Or sometimes more flexible is the use of un-named placeholders using ? and the data in a regular array.

$sql = $read->prepare("SELECT * FROM user WHERE user_id = ?");
$sql->execute([$id]);

The above assumes you already have a PDO connection named $read, so the first step is to connect to PDO, but this is just to illustrate how simple prepare and execute can be.

1 Like

Hi,
I made the connection with PDO, that was not difficult.
I also found out how to prepare a query, not difficult either.
What the tutorials let out is:
How do I determine how found/nothing found?
Out of the tutorial I get following lines:

$stmt = $pdo->prepare('SELECT * FROM benutzer WHERE uname = ? AND pwd=?');
$stmt->execute([$uname, $pwd]);
$user = $stmt->fetch();

What is getting fetched here? The complete record? Can I address with $user[“uname”]?
And what is when the conditions are wrong (username password false)?
Is there any error handling in PDO? (I am sure it is, but until I have read the complete documentation there is a new version of PHP)

You could have a look at rowCount() to see how many rows are returned.

Exactly what you asked for - all columns from your table for rows where the username and password match the supplied information.

Have a look at the variables, and what they contain. Use var_dump() to see what’s in them.

Your query returns no rows.

Possibly a good thing to read more about PHP and then come back with any remaining questions. All of the above is in the documentation.

What is more concerning, though, is your query:

$stmt = $pdo->prepare('SELECT * FROM benutzer WHERE uname = ? AND pwd=?');

where you are providing the password into the query. This suggests you are either storing plain-text passwords (please, no) or you are using your own method of hashing / encrypting passwords. If you are doing either of these, please read up on password_hash() for storing the password, and password_verify() for checking it. Once you have implemented that, you can change the query to

$stmt = $pdo->prepare('SELECT * FROM benutzer WHERE uname');

and then use password_verify() on the results.

And while you’re changing the query, consider changing it (and any others) to only retrieve the columns that you actually need. Selecting * all the time is a bit of a waste of resources.

2 Likes

Thank you very much for the hints, I will follow them.
Yes, stupid idea to ask for the password in the query, even if hashed.
I used the * as from the tutorial just to get a start, am aware of selecting which fields.

1 Like

Further than that, when you change to use password_hash(), you won’t be able to have it in the query, because the output is different each time. That’s why you have to recover the hash in your query, and then use password_verify() on it. That requires your username to be unique, which of course it will be.

Yep, very commonly done. I still have queries that I should get around to changing as they’re like that and don’t need to be.

I still have problems with PDO. In the traditional way (like i programmed 10 years ago) I get a result with:

$sql = "SELECT * FROM benutzer where uname='" . $uname . "'";
echo $sql;
if ($conn->query($sql) == TRUE) {
    echo "Login succesfully. Login bien";
} else {
    echo "Login failed. Login ha fallado.";
}

Login succesfully. Login bien
And with:

$stmt = $conn->prepare('SELECT * FROM benutzer WHERE uname');
$stmt->execute([$uname]);
$user = $stmt->fetch();
echo $user["uname"];

I get no output.

(This is like picking up rice on a beach)

OP, study this PDO tutorial and see what it does for you and then post an updated version of your code if you are still stuck.

Look at the difference between the query you execute here, and the query that you posted in post number 6. What is different? In fact, what is different between the two queries you posted there?

The difference is

uname = ? 

That works, thanks.As i said - details.
But well I trusted the tutorial.
And next one in the tutorial doesn’t work either. Partly pretty frustrating stuff, I will seek another.

That’s the trouble with tutorials - anyone can write them. And the landscape changes so quickly, people don’t tend to update or remove old tutorials, as long as they get a few hits.

Lots of people refer to this site, though I haven’t seen it mentioned recently. https://phpdelusions.net/

Right here in this thread post #13

1 Like

Thanks, I try that.
EDIT: That is the one I tried ( https://phpdelusions.net/) with no good results. The two examples I tried did not work out of the box. And at least the core examples should work to improve the understanding, not having to search at other places why it doesn’t work.

Now I have at least succeded to login properly, a milestone in fact. The next challenge will be to save data from a form, I wonder in how many traps I will tap into there. But give up:NEVER.
i MUST SAY, YOU GUYS ARE REALLY GOOD AND HELPFUL.
I am very grateful for that.

Which ones? It’d be interesting to know what problems you had with them. If people are referring to a site with bad tutorials, that’s not a good thing.

This one;
EDIT: fitted to my table.

$stmt = $pdo->query('SELECT uname FROM benutzer');
while ($row = $stmt->fetch())
{
    echo $row['uname'] . "\n";
}
``
throws out the message

Fatal error : Uncaught Error: Call to a member function fetch() on boolean in /var/www/html/topicsend.php:26 Stack trace: #0 {main} thrown in /var/www/html/topicsend.php on line 26
´´´

And the error from entry 10

$stmt = $conn->prepare('SELECT * FROM benutzer WHERE uname');
$stmt->execute([$uname]);
$user = $stmt->fetch();
echo $user["uname"];

where should be uname=?

This generally means that the query has failed. It does not mean that the example is incorrect, it might be because your database connection didn’t work properly, for example. When you call query() it executes the query and returns either a results object, or false. In this case, for whatever reason (and the code snippet isn’t sufficient to say more) it has returned false. Then you try to loop through a results object that doesn’t exist, and get the error message. You’d need to show the prior code to give any more idea why it fails. Did your database connection open properly? Did you check that you’ve changed all variable names in the example code to the correct ones?

Have a look at your old-style example in that very same post, and you can see how it ends. All you need to do is put a ? instead of concatenating the variable into the query string.

Example 1:
There is no more code. With the second example I get the correct result, so the connection is ok. The query is as simple as can be, in my opinion:

select  uname from benutzer

the second:

select * from benutzer where uname=?

works.