mysql_real_escape_string(): Access denied in DB insert

Question

I am trying to use a legacy MediaWiki extension on PHP 5.6 and later versions, and it fails when it comes to DB inserts.

And yes, this is not a duplicate, as the code is different.

The full error was:

Warning: mysql_real_escape_string(): Access denied for user ''@'localhost' (using password: NO)

I tried changing to mysqli_real_escape_string but then I had:

mysqli_real_escape_string() expects exactly 2 parameters, 1 given on line 235

Here is the function:

function Lookup_addLookup ($url, $name, $group)
{
    $dbw = wfGetDB(DB_MASTER);

    $groupOrder = Lookup_getGroupOrder($group);
    $dbw->query ("INSERT INTO ".Lookup_prefix()."lookups (lu_name, lu_url, lu_group, lu_order, lu_group_order) VALUES ('".mysql_real_escape_string($name)."', '".mysql_real_escape_string($url)."', '".mysql_real_escape_string($group)."', 1, $groupOrder)");

    Lookup_reOrderGroups();
    return true;
}

And another one further down:

function Lookup_moveGroupUp($group)
{
    $dbw = wfGetDB(DB_MASTER);

    $dbw->query ("UPDATE ".Lookup_prefix()."lookups SET lu_group_order = 0 WHERE lu_group = '".mysqli_real_escape_string($group)."'");

    Lookup_reOrderGroups();

    return true;
}

Possible duplicate of [Warning: mysqli\_real\_escape\_string() expects exactly 2 parameters, 1 given in... Fatal error: Call to a member function query() on null in](https://stackoverflow.com/questions/33776004/warning-mysqli-real-escape-string-expects-exactly-2-parameters-1-given-in) — Nico Haase, Feb 15 '19 at 14:55

a stone arachnid · Accepted Answer · 2019-02-15T21:30:44.930

mysqli_real_escape_string() needs the database link as the first parameter, which is why it isn't working.

However, MediaWiki wants us to avoid direct queries, so it has the $dbw->insert() method instead, one of several wrapper functions.

Use something like this:

function Lookup_addLookup ($url, $name, $group)
{
    $dbw = wfGetDB(DB_MASTER);

    $groupOrder = Lookup_getGroupOrder($group);
    $dbw->insert(
        Lookup_prefix()."lookups",
        array(
            'lu_name'  => $name,
            'lu_url'   => $url,
            'lu_group' => $group,
            'lu_order' => 1,
            'lu_group_order' => $groupOrder
        )
    );

    Lookup_reOrderGroups();
    return true;
}

And in the second example, use $dbw->update():

function Lookup_moveGroupUp($group)
{
    $dbw = wfGetDB(DB_MASTER);

    $dbw->update(
        Lookup_prefix()."lookups",
        array(
            "lu_group_order" => 0
        ),
        array(
            "lu_group" => $group
        )
    );

    Lookup_reOrderGroups();

    return true;
}

For more information and other SQL wrappers, read about the different wrapper functions and their documentation.

Thank you! That gave me: mysqli_real_escape_string() expects parameter 1 to be mysqli, object given on line 235 [It is the line starting with $dbw->query] — greektranslator, Feb 15 '19 at 15:32
Damn, I have another one further down (I edited original post) — greektranslator, Feb 15 '19 at 16:21
Brilliant, thanks for the extra query help, I tried but could not figure it out. — greektranslator, Feb 16 '19 at 16:41

mysql_real_escape_string(): Access denied in DB insert

1 Answers1