mysql-real-escape-string

The following code works perfectly fine in my local xampp installation (Windows 7), but when I ported it over to a Win2K8 R2 server, the mysql_real_escape_string piece does not work. When I comment it out, it works fine. I am pretty sure this has something to do with the php.ini file but cannot pinpoint what it is. Perhaps my code should have been written differently to begin with. function add_asset($asset_type_ID, $org_ID, $asset_desc, $asset_cost, $asset_value, $purchase_date) { global $db; $asset_desc = mysql_real_escape_string($asset_desc); $query = "INSERT INTO assets (asset_ID, asset

I am very confused over something and was wondering if someone could explain. In PHP i validate user input so htmlentitiies, mysql_real_escape_string is used before inserting into database, not on everything as i do prefer to use regular expressions when i can although i find them hard to work with. Now obviously i will use mysql_real_escape_string as the data is going into the database but not sure should i be using htmlentities() only when getting data from database and displaying it on a webpage as doing so before hand is altering the data entered by a person which is not keeping it's

Portion of xml file that represents the problem (the xml file has hundreds of customers record) <?xml version="1.0" encoding="utf-8"?> <test> <customer> <name>customer 1</name> <address>address 1</address> <city>city 1</city> <state>state 1</state> <zip>zip 1</zip> <phone>phone 1</phone> <buyerinfo> <shippingaddress> <name>ship to</name> <address>Ship address1</address> </shippingaddress> </buyerinfo> <shippingDetail> <saletax> <saletaxamount>2</saletaxamount> </saletax> </shippingDetail> </customer>... Below is my code //Xml string is parsed and creates a DOM Document object $responseDoc =

Ok, this subject is a hotbed I understand that. I also understand that this situation is dependent on what you are using as code. I have three situations that need to be resolved. I have a form in where we need to allow people to make comments and statements that use commas, tildes, etc... but still remain safe from attacks. I have people entering in dates like this: 10/13/11 mm/dd/yy in English, can this be sanitized? How do I understand how to use htmlspecialchars() , htmlentities() and real_escape_string() correctly? I've read the php.net site and some posts here but this seems to me to be

So I'm fairly paranoid and use mysql_real_escape_string() with PDO. I actually don't use prepared statements in PDO, so I do have to sanitize the inputs. When hosting on my own server, I'd create an unprivileged user on the local machine so mysql_real_escape_string() wouldn't fail and empty my variable (heh, now that's sanitization!). I realize this is a pretty fail solution, since if the db's don't have matching charsets, then there's no point to the sanitizing at all, but it worked for the interim. Now at my new host, I can't create an unpassworded, unprivileged user for the database... and

I have been trying to figure out how exactly \x00, \n, \r, \, or \x1a can cause an SQL Injection (as it is mentioned at http://nl3.php.net/manual/en/function.mysql-real-escape-string.php ) I understand the idea of single quote and double quotes, but how and why I need to take care of the other items to make my query safe? I was wondering about the same question and I found the answer in the C API documentation of MySQL , it states: Characters encoded are “\”, “'”, “"”, NUL (ASCII 0), “\n”, “\r”, and Control+Z (\x1a). Strictly speaking, MySQL requires only that backslash and the quote character

I am using a jQuery AJAX request to a page called like.php that connects to my database and inserts a row. This is the like.php code: <?php // Some config stuff define(DB_HOST, 'localhost'); define(DB_USER, 'root'); define(DB_PASS, ''); define(DB_NAME, 'quicklike'); $link = mysql_connect(DB_HOST, DB_USER, DB_PASS) or die('ERROR: ' . mysql_error()); $sel = mysql_select_db(DB_NAME, $link) or die('ERROR: ' . mysql_error()); $likeMsg = mysql_real_escape_string(trim($_POST['likeMsg'])); $timeStamp = time(); if(empty($likeMsg)) die('ERROR: Message is empty'); $sql = "INSERT INTO `likes` (like