mysql_real_escape_string returns empty/blank inside a DB connection

Question

I have a problem with mysql_real_escape_string. I use ezSQL to connect with MySQL.

Problem:

mysql_real_escape_string($username) and mysql_real_escape_string($password) turns empty.

Code:

$row = $db->get_row("SELECT firstname, secondname, id FROM users WHERE login='".mysql_real_escape_string($username)."' AND password='".mysql_real_escape_string($password)."'");

Work-around:

Putting mysql_real_escape_string BEFORE or inside $row makes the value empty. Putting mysql_real_escape_string AFTER $row makes it work. Hence; Have another $db in front of the exsisting $row:

$row2 = $db->get_row("SELECT firstname, secondname, id FROM users");
$row = $db->get_row("SELECT firstname, secondname, id FROM users WHERE login='".mysql_real_escape_string($username)."' AND password='".mysql_real_escape_string($password)."'");

Question:

How can i properly fix this?

Answer 1

ezsql has its own escape method you should be using – Dagon

Thank you, this solved my question! I have updated my code to:

$password = $db->escape($_POST['password']);
$username = $db->escape($_POST['username']);
$row = $db->get_row("SELECT firstname, secondname, id FROM users WHERE login='".$username."' AND password='".$password."'");

I will work towards upgrading to MySQLi later. I know that ezSQL also offers a MySQLi component. Thanks for your suggestions Destruction, meda and Christophe Ferreboeuf!