Home/ Questions/Q 6897395
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T07:09:49+00:00

I’m having this issue that I’ve yet to find a solution to. For example,

  • 0

I’m having this issue that I’ve yet to find a solution to. For example, I am currently using jQuery to post data via Ajax to a PHP script I have written. When I use mysql_real_escape_string() on the data sent by the Ajax request, the username is completely stripped down to nothing and the password is rehashed in MD5. My complete code is provided below. I believe it is a problem with mysql_real_escape_string() because if I remove the function from both inputs, the form works seamlessly. Has anyone ran into this problem before or know of any solutions? Thanks!

EDIT: Also, data is being passed to the script for both fields, I’ve confirmed this with echo print_r($_POST, true);

login.php:

<?php
function dbConnect() {
    $db = new mysqli("", "", "", "");
    return $db;
}
$username = mysql_real_escape_string($_POST["username"]);
$sanPass = mysql_real_escape_string($_POST["password"]);
$password = md5($sanPass);
$db = dbConnect();
$query = "SELECT * FROM `users` WHERE `username`='$username' AND `password`='$password';";
$res = $db->query($query);
$num = mysqli_num_rows($res);
if ($num == 0) {
    echo "incorrect u=" . $username . " p=" . $password;
} else {
    $row = $res->fetch_assoc();
    $uuid = uniqid(rand(0, 10000));
    setcookie("jBootUsername", $username);
    setcookie("jBootUUID", $uuid);
    setcookie("jBootIP", $_SERVER["REMOTE_ADDR"]);
    $ip = $_SERVER["REMOTE_ADDR"];
    $query = "INSERT INTO `sessions` (username, cookie, ip) VALUES ('$username', '$uuid', '$ip');";
    $db->query($query);
    echo "success";
}
?>

login.js:

$(document).ready(function() {


var $body = $('body'),
    $content = $('#content'),
    $form = $content.find('#loginform');


    //IE doen't like that fadein
    if(!$.browser.msie) $body.fadeTo(0,0.0).delay(500).fadeTo(1000, 1);


    $("input").uniform();


    $form.wl_Form({
        status:false,
        onBeforeSubmit: function(data){
            $form.wl_Form('set','sent',false);
            if(data.username || data.password){
                $.ajax({
                  type: "POST",
                  url: 'functions/login.php',
                  data: 'username=' + data.username + '&password=' + data.password + '',
                  success: function(data) {
                    if (data == "success") {
                        document.location="home.php";
                    } else {
                        alert(data);
                        $.wl_Alert("Login invalid, please try again.",'info','#content');
                    }
                  }
                });
            }else{
                $.wl_Alert('Please provide both a username and password to login.','info','#content');
            }
            return false;

        }                             
    });


});
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team
    1. You are using mysqli, so mysql_real_escape_string() . Use mysqli_real_escape_string() instead, or better yet prepare your query with $mysqli->prepare()
    2. Anyways, you were using mysql_real_escape_string() before connecting to the database, so it returned FALSE. But that’s just in case you would have been using mysql_*

    UPDATE:

    Arguments in mysqli_real_escape_string() are swapped, you need to pass the $link identifier first, and the variable as second.

    Anyway, you might be better off with prepare and bind param:

    $db = dbConnect();
$username = $_POST['username'];
$password = md5($_POST['password']);
$sql = "SELECT * FROM `users` WHERE `username`= ? AND `password`= ?;"
$stmt = $db->prepare($sql);
$stmt->bind_param('ss', $username, $password);
$stmt->execute();
if($stmt->num_rows == 0)
{
 echo "incorrect username and/or password";
}
else
{
  $row = $stmt->fetch_assoc();
   //...
}
    • 0