Forum Moderators: coopster
I'm trying to implement mysql_real_escape_string() on vars that will be fed into an INSERT query but what I'm doing is throwing errors.
On php.net it indicates that mysql_real_escape_string() can be used on variables prior (I'm paraphrasing by memory) to inclusion into a query, but when I tried this as a test:
$first = mysql_real_escape_string($_SESSION['Personal']['first']['value']);
$sq1 = "INSERT INTO tbl_client_users VALUES($first)";
dbQuery($sq1,FALSE);
I got this:
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'@'localhost' (using password: NO) in (directory path...).
I noticed in the example on php.net that they were using sprintf around the "INSERT INTO..." within which was the mysql_real_escape_string($var).
Must this this function be used inside the query string, or can it be used to escape single quotes before vars are fed to a query string simular to addslashes()?
Neophyte
2) also your query is missing some elements.
instead of
$sq1 = "INSERT INTO tbl_client_users VALUES($first)";
rewrite it to
$sq1 = "INSERT INTO tbl_client_users (first) VALUES('$first')"; //assuming all other fields in this table are allowed null or auto_increment.
The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If by chance no connection is found or established, an E_WARNING level warning is generated.
dc
