mysql_real_escape_string() [function.mysql-real-escape-string] is preventing server connection

Question

Can someone explain why am getting this error when am setting up a new website? and how to solve it

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/sitename/public_html/cms/cms/admin/report.php on line 8

Now contents of line 8:

$report = mysql_real_escape_string( $report );

EDIT

<?php

require_once('auth.php'); require('core/plugin.php');
// session details  are here 
require('core/connection.php');
if($session_id == $session_id){
    $report = $_POST['reportmsg'];
    $report = strip_tags( $report );
    $report = mysql_real_escape_string( $report );
    $report = trim( $report );
    if($report == ""){
        die("textarea void");
        exit();
    } elseif($report == $report) {
        $sql="INSERT INTO report (site_id, date, time, ticket_id, bug)
        VALUES
        ( 
            '$session_id',
            '$date',
            '$time',
            '$ticket_id',
            '$report'
        )";
        if (!mysqli_query($con,$sql)) {
            die("Failed  to connect");
            exit();
        }
        echo ("<font style='font-family:Tahoma;'>ticket sent</font>");
        exit();
    }
}
?>

"U" have said it's line 14. You need to sort out your code first. — Your Common Sense, Aug 14 '13 at 12:37
other code have been remoded where i wrote session details are here. the question has been edited — codefun, Aug 14 '13 at 12:40
Instead of messing with all the SQL escaping, please use parametrized queries, and maybe even switch to PDO, to avoid your SQL injections. See http://bobby-tables.com/php for examples. — Andy Lester, Aug 14 '13 at 12:44
@AndyLester Turns out he's already using mysqli, he's just using the wrong escaping function. — Glitch Desire, Aug 14 '13 at 12:47
I know he's using mysqli. Please reread what I wrote: "Instead of messing with all the SQL escaping, please use parametrized queries..." — Andy Lester, Aug 14 '13 at 12:49
@AndyLester Sorry if I misunderstood, I read your comment as saying he needs to switch to PDO to avoid SQL injections, so assumed you didn't notice he was using `mysqli` (which has [prepared statements](http://php.net/manual/en/mysqli.prepare.php)) rather than `mysql`. — Glitch Desire, Aug 14 '13 at 12:56
thanks to @AndyLester i ll try that in next vision it show to be good suggestion — codefun, Aug 14 '13 at 13:02
@codefun Have added a little on bound statements in `mysqli` to my answer, the documentation is very clear and will help you a lot. — Glitch Desire, Aug 14 '13 at 13:05

Glitch Desire · Accepted Answer · 2013-08-14T13:04:26.580

4

You haven't established a connection to your database

This function takes into account the character set on the database you're using (documentation), so it needs a connection to a database in order to work. Run this before any escape strings:

mysql_connect('server','username','password');

Or alternatively, consider not using mysql_* because it's deprecated, may fall out of maintenance and may be removed from a future version of PHP. You may be better off using mysqli or PDO.

Edit: Looks like you may already be using mysqli

Since you added your code, I noticed that your query is called with mysqli_query. You are probably connected to your database using mysqli, in which case, change the following line:

mysql_real_escape_string($report);

To this line:

mysqli_real_escape_string($con,$report);

These are two different APIs and don't share connection objects, so your mysql_* function cannot use your mysqli_* connection.

Having said that, you may be better off using prepared statements...

Lines and lines of escaping can make your queries safe, but they're expensive and introduce boilerplate into your code.

As others have suggested, you may wish to look into prepared statements instead:

$stmt = mysqli_prepare($con, "INSERT INTO `report` (site_id, date, time, ticket_id, bug) VALUES (?,?,?,?,?)");
mysqli_stmt_bind_param($stmt, "issis", $session_id, $date, $time, $ticket_id, $report);
mysqli_stmt_execute($stmt);

On a side note, re: die() and exit()

You use this a few times in your code:

die("textarea void");
exit();

These two functions are aliases (die() and exit() do exactly the same thing), and your code never reaches exit(). You can drop the exit(); statements where they occur after die();

edited Aug 14 '13 at 13:04

answered Aug 14 '13 at 10:23

Glitch Desire

14,632
7
43
55

am connected to server in the same way you suggest, other information from server is been seen(fetched) before i get the error that's why i was wondering whats the problem – codefun Aug 14 '13 at 10:31
@codefun You probably need to show more of your code for us to be able to diagnose the issue. I'd suggest that as you seem to be in early stages of your code, you're best off dropping the deprecated library in favour of `mysqli` (which is easier too). – Glitch Desire Aug 14 '13 at 10:32
@codefun Out of interest, what happens if you pass the connection identifier to the `mysql_real_escape_string` explicitly? `$connection = mysql_connect('server','username','password'); mysql_real_escape_string($report, $connection);` – Glitch Desire Aug 14 '13 at 10:35
@codefun If your problem is with the network rather than the program, you'll need to make a new question (and might be one for Serverfault rather than SO). – Glitch Desire Aug 14 '13 at 12:03
i mean internet connect that's why i reply late – codefun Aug 14 '13 at 12:10
@codefun I need to see `core/connection.php`. It looks like you're using `mysqli` for your query, which means you've probably connected via `mysqli` rather than `mysql` (these are two different drivers). Try changing `mysql_real_escape_string` to `mysqli_real_escape_string` ([documentation](http://php.net/manual/en/mysqli.real-escape-string.php) -- there is a difference in syntax). – Glitch Desire Aug 14 '13 at 12:39
'' – codefun Aug 14 '13 at 12:43
@codefun Have updated my answer. Issue is you're using two different database drivers. – Glitch Desire Aug 14 '13 at 12:45
Thanks for adding the die suggestion i lent... end your code works. i appreciate – codefun Aug 14 '13 at 13:01

score 0 · Answer 2 · answered Aug 14 '13 at 10:22

According to the documentation http://www.php.net/manual/en/function.mysql-real-escape-string.php

A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used.

therefore, I bet that you're not connected to your database.

Your Common Sense · Answer 3 · 2013-08-14T18:17:22.373

0

Do not use this function at all. At least directly in the application code. Prepared statements ought to be used instead. This is the only proper solution.

As to why you are getting this error, a manual page usually have an explanation for the every error you get with particular function.

edited Aug 14 '13 at 18:17

answered Aug 14 '13 at 17:56

Your Common Sense

156,878
40
214
345

mysql_real_escape_string() [function.mysql-real-escape-string] is preventing server connection

3 Answers3

You haven't established a connection to your database