For preventing sql injections I tried this:
$db = new myConnectDB();
$beerName = mysql_real_escape_string($beerName);
$beerID = mysql_real_escape_string($beerID);
$brewery = mysql_real_escape_string($brewery);
$style = mysql_real_escape_string($style);
$userID = mysql_real_escape_string($userID);
$abv = mysql_real_escape_string($abv);
$ibu = mysql_real_escape_string($ibu);
$breweryID = mysql_real_escape_string($breweryID);
$icon = mysql_real_escape_string($icon);
$beerName = addslashes($beerName);
$brewery = addslashes($brewery);
$brewery = str_replace('\'', '', $brewery);
$query3 = "INSERT INTO uniqueBeers (userID,beerID,beerName,beerStyle,beerBrewery,abv,ibu,breweryID,icon, brewIcon) VALUES ($userID, '$beerID', '$beerName', '$style' , '$brewery', '$abv','$ibu','$breweryID', '$icon', '$iconBrew')";
$db->query($query3);
But I get all sorts of error like:
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user
After reading the errors and doing some reasearch online I noticed i could pass a connection in and I tried this:
$beerName = mysql_real_escape_string($beerName,$db);
for all the above entries but it also did not work so Now I am a little stuck.
Update:
Here is the contents of myConnectDB with my database info taken out
<?php
class myConnectDB extends mysqli{
public function __construct($hostname='localhost',
$user='',
$password='',
$dbname=''){
parent::__construct($hostname, $user, $password, $dbname);
}
}
?>
You are using the mysqli extension to connect with your DB (assuming this is successful), but you are using a MySQL function later in your script. The equivalent mysqli (procedural) function is mysqli_real_escape_string($dbLink,$stringToEscape) – Note the extra
i(for Improved). However, you have a mysqli object, so you should use the object oriented style:Also, once you have corrected the above, then you do not require the following lines of code: