mysql_real_escape_string strips all content


I have some strings which I am running against mysql_real_escape_string and it returns an empty string here is a sample string

//array value ["street"]=> string(16) "2324 W Burton St" )
echo mysql_real_escape_string ( $_POST["street"] );

That prints nothing in the page, the code works in local host it doesnt in the server (bluehost)

mysql_real_escape_string doesn’t strip anything, so if the result is empty, probably the input was empty.

echo 'street: ' . $_POST['street'] . '<br />';  
echo 'escaped street : ' . mysql_real_escape_string ( $_POST['street'] );  

I actually tried that and also var_dump, the value I added in my first post is the value being processed, the exact same code works in my local machine it just does not work in the server and also only happens to the values passed to the mysql_real_escape_string all other post values like int which I cast or I do a regular expression search work just fine, this is what I’m doing

	$street = isset ( $_POST["street"] )  ? mysql_real_escape_string ( $_POST["street"] ) : "";
	$town = isset ( $_POST["town"] )  ? mysql_real_escape_string ( $_POST["town"] ) : "";
	$city = isset ( $_POST["city"] )  ? mysql_real_escape_string ( $_POST["city"] ) : "";
	$state = isset ( $_POST["state"] )  ? mysql_real_escape_string ( $_POST["state"] ) : "";
	$country = isset ( $_POST["country"] )  ? mysql_real_escape_string ( $_POST["country"] ) : "";
	$zipcode = isset ( $_POST["zipcode"] )  ? mysql_real_escape_string ( $_POST["zipcode"] ) : "";
	$coordinates = isset ( $_POST["coordinates"] )  ? preg_replace ( "/[^0-9,.-]/", "", $_POST["coordinates"] ) : "";
	$phone = isset ( $_POST["phone"] )  ? preg_replace ( "/[^0-9]/", "", $_POST["phone"] ) : "";
	$website = isset ( $_POST["website"] )  ? filter_var ( $_POST["website"], FILTER_VALIDATE_URL ) : "";
	$favoritebook = isset ( $_POST["favoritebook"] )  ? mysql_real_escape_string ( $_POST["favoritebook"] ) : "";
	$aboutme = isset ( $_POST["aboutme"] )  ? mysql_real_escape_string ( $_POST["aboutme"] ) : "";

When I do var_dump all values are there this is it

array(14) { ["uid"]=> string(2) "54" ["coordinates"]=> string(40) "(39.950471420868766, -82.93292737500002)" ["street"]=> string(19) "2419 S Havenwood Dr" ["town"]=> string(13) "East Columbus" ["city"]=> string(8) "Franklin" ["state"]=> string(4) "Ohio" ["country"]=> string(13) "United States" ["zipcode"]=> string(5) "43209" ["phone"]=> string(7) "8765432" ["website"]=> string(26) "" ["favoritebook"]=> string(9) "some book" ["aboutme"]=> string(9) "some info" ["birthdate"]=> string(10) "01/04/1983" ["option"]=> string(17) "com_fantasyleague" } 

Sanity Check: You have instantiated a database connection before these lines of code, correct?

Yes, my problem was that I was using mysql and had to use mysqli, thank you all for your help!

If you are using mysqli then why don’t you use prepare/bind for your database calls and do away with the need to escape anything.

Also you should never run the escape directly on the raw inpit field - you should always validate post fields first before using them in any code at all.

@Felgall, just wondering why you say this? Is there any reason other than say performance, eg if the field is blank no need to escape?

Unless you don’t care what the value is you’re going to save in the database, you should validate user input because you never know what values your script will receive.
If you need a date, you’ll have to make sure the received value is a valid date.
If you need one of a given set of values, for example ‘red’ ‘yellow’ or ‘blue’, you should make sure the received value is one of those before saving it in the database.

Even if you create a form with select boxes with the allowed values, that doesn’t mean someone can’t “hack” it and send your script other values.

Yeah I get that, but he said never to escape unvalidated data, which I thought was a bit too strict. As you say, there are times you don’t care what goes in, or if the data even exists.

As I was reading I was wondering if there was some overhead related with mysql(i)_real_escape_string() that I hadn’t read about which would call validation to try to limit its use, but it seems not :slight_smile: Thanks for clarifying.

I do check and make sure if an expected value is correct like the date, but as far as the name or address goes how could I validate?