mysql_real_escape_string not working for me

Francisco F. picture Francisco F. · Jan 22, 2017 · Viewed 14.1k times · Source

When I try to do a mysql_real_escape_string for a login system, it does not record the variable from the form. If I do

$username = $_POST['username'];

and echo it, it displays, but when I do

$username = mysql_real_escape_string($_POST['username']);

and echo it, it does not display. I also tested the database connections, and they work. This is my code:

session_start();
$db = mysqli_connect($connection, $user, $pass, $database);
if (isset($_POST['submit'])) {
    $username = mysql_real_escape_string($_POST['username']);
    $password = mysql_real_escape_string($_POST['password']);
    echo $username;

    $sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
    echo $sql;
    $result = mysqli_query($sql, $db);

It used to work before, but for some reason it stopped working suddenly. Any help is appreciated. :)

Answer

elixenide picture elixenide · Jan 22, 2017

First, you shouldn't be escaping data to build queries. You should be using prepared statements. See How can I prevent SQL injection in PHP?

That said, your problem is that you're using mysql_real_escape_string(), but you have a mysqli (not mysql) connection. mysqli and mysql are different extensions. Please don't use mysql_*; the mysql_* functions are outdated, deprecated, and insecure - they have been removed entirely from modern versions of PHP (version 7.0 and higher). Use MySQLi or PDO instead.

To fix your problem temporarily, use mysqli_real_escape_string() instead of mysql_real_escape_string(). To fix it permanently and correctly, use prepared statements and not escaping.