I’m trying to use mysql_real_escape_string() to secure a log in form.
Using this code:
include_once 'access-shared.php';
include_once 'access-databaseconnect.php';
session_start();
$email = mysql_real_escape_string(isset($_POST['email'])) ? mysql_real_escape_string($_POST['email']) : $_SESSION['email'];
$password = mysql_real_escape_string(isset($_POST['password'])) ? mysql_real_escape_string($_POST['password']) : $_SESSION['password'];
Trouble is it throws up an error every time:
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'xxx'@'localhost' (using password: NO)
I can’t get my head around it, the db user has all permissions and the username details are correct in the access-databaseconnect.php file. It works perfectly without the mysql_real_escape_string around the $_POST but obviously it leaves it open to mySQL injection.
Any help is most appreciated.
EDIT: Here is the contents of the access-databaseconnect.php file:
<?php
$dbhost = 'localhost';
$dbusername = 'xxxx';
$dbpassword = 'xxxx';
function dbConnect($db='') {
global $dbhost, $dbusername, $dbpassword;
$dbcnx = @mysql_connect($dbhost, $dbusername, $dbpassword)
or die('Cannot connect to Database: '.mysql_error());
if ($db!='' and !@mysql_select_db($db))
die('Cannot connect to Database: '.mysql_error());
return $dbcnx;
}
?>
In order to use
mysql_real_escape_string(), you must have already established a connection viamysql_connect(). If that does not occur inaccess-databaseconnect.php, or the connection has not succeeded, you will not be able to callmysql_real_escape_string()Update
You define the function
dbConnect()in access-databaseconnect.php, but you never call it. Create your connection asAn additional note, but not the source of your problem… Do not call
mysql_real_escape_string()around the result of yourisset()calls. Though it is most likely harmless, it is unnecessary.