Search code examples
phpmysql-real-escape-string

Error on mysql_real_escape_string()

That is the part of my code : 

 if(!isset($_GET['username']) || !isset($_GET['sessionid']))
 {
  $returning = array('error' => 'Invalid query');
  echo json_encode($returning);
  break;
 }
 echo $_GET['username'];
 $z = mysql_real_escape_string($_GET['username']);
 echo $z;

And my query :

tymonradzik.pl/THUNDER_HUNTER/thapi.php?q=xxx&username=ty221&sessionid=JRHjYqeZKBPq1LPPck0XrnCwJU2UKnfufWNem1d7D3yEOnu0HvX9SAFCuIxe6MImJwA6xNdbQLPF9kGRPE0IeGkJoRXvEGRncrtKfGV6sLLB5ssV6sDk9X3xP13tHUQU

It is returning only "ty221", but should "ty221ty221". Where is the error ?

Solution

  • According to the documentation:

    If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If no connection is found or established, an E_WARNING level error is generated.

    Returns the escaped string, or FALSE on error.

    An educated guess is that you do not have a valid connection to the database, therefore mysql_real_escape_string attempts to open a new connection using the configuration values in php.ini, which fails.

    Obligatory security notice:

    You are using an obsolete database API and should use a modern replacement. You are also vulnerable to SQL injection attacks that a modern API would make it easier to defend yourself from.