Search code examples
phpmysql-real-escape-string

mysql_real_escape_string() [function.mysql-real-escape-string] is preventing server connection

Can someone explain why am getting this error when am setting up a new website? and how to solve it

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/sitename/public_html/cms/cms/admin/report.php on line 8

Now contents of line 8: 

$report = mysql_real_escape_string( $report );

EDIT

<?php

require_once('auth.php'); require('core/plugin.php');
// session details  are here 
require('core/connection.php');
if($session_id == $session_id){
    $report = $_POST['reportmsg'];
    $report = strip_tags( $report );
    $report = mysql_real_escape_string( $report );
    $report = trim( $report );
    if($report == ""){
        die("textarea void");
        exit();
    } elseif($report == $report) {
        $sql="INSERT INTO report (site_id, date, time, ticket_id, bug)
        VALUES
        ( 
            '$session_id',
            '$date',
            '$time',
            '$ticket_id',
            '$report'
        )";
        if (!mysqli_query($con,$sql)) {
            die("Failed  to connect");
            exit();
        }
        echo ("<font style='font-family:Tahoma;'>ticket sent</font>");
        exit();
    }
}
?>
Solution

  • You haven't established a connection to your database

    This function takes into account the character set on the database you're using (documentation), so it needs a connection to a database in order to work. Run this before any escape strings:

    mysql_connect('server','username','password');

    Or alternatively, consider not using mysql_* because it's deprecated, may fall out of maintenance and may be removed from a future version of PHP. You may be better off using mysqli or PDO.

    Edit: Looks like you may already be using mysqli

    Since you added your code, I noticed that your query is called with mysqli_query. You are probably connected to your database using mysqli, in which case, change the following line:

    mysql_real_escape_string($report);

    To this line:

    mysqli_real_escape_string($con,$report);

    These are two different APIs and don't share connection objects, so your mysql_* function cannot use your mysqli_* connection.

    Having said that, you may be better off using prepared statements...

    Lines and lines of escaping can make your queries safe, but they're expensive and introduce boilerplate into your code.

    As others have suggested, you may wish to look into prepared statements instead:

    $stmt = mysqli_prepare($con, "INSERT INTO `report` (site_id, date, time, ticket_id, bug) VALUES (?,?,?,?,?)");
mysqli_stmt_bind_param($stmt, "issis", $session_id, $date, $time, $ticket_id, $report);
mysqli_stmt_execute($stmt);

    On a side note, re: die() and exit()

    You use this a few times in your code:

    die("textarea void");
exit();

    These two functions are aliases (die() and exit() do exactly the same thing), and your code never reaches exit(). You can drop the exit(); statements where they occur after die();