whats wrong with this php mysql_real_escape_string
- by skyhigh
Hi
Atomic Number
Latin
English
Abbreviation
* check the variables for content */
/*** a list of filters ***/
$filters = array(
'searchtext' => array( 'filter' => FILTER_CALLBACK, 'options' => 'mysql_real_escape_string'),
'fieldname' => array( 'filter' => FILTER_CALLBACK, 'options' => 'mysql_real_escape_string')
);
/*** escape all POST variables ***/
$input = filter_input_array(INPUT_POST, $filters);
/*** check the values are not empty ***/
if(empty($input['fieldname']) || empty($input['searchtext']))
{
echo 'Invalid search';
}
else
{
/*** mysql hostname ***/
$hostname = 'localhost';
/*** mysql username ***/
$username = 'username';
/*** mysql password ***/
$password = 'password';
/*** mysql database name ***/
$dbname = 'periodic_table';
/*** connect to the database ***/
$link = @mysql_connect($hostname, $username, $password);
/*** check if the link is a valid resource ***/
if(is_resource($link))
{
/*** select the database we wish to use ***/
if(mysql_select_db($dbname, $link) === TRUE)
{
/*** sql to SELECT information***/
$sql = sprintf("SELECT * FROM elements WHERE %s = '%s'", $input['fieldname'], $input['searchtext']);
/*** echo the sql query ***/
echo '<h3>'.$sql.'</h3>';
/*** run the query ***/
$result = mysql_query($sql);
/*** check if the result is a valid resource ***/
if(is_resource($result))
{
/*** check if we have more than zero rows ***/
if(mysql_num_rows($result) !== 0)
{
echo '<table>';
while($row=mysql_fetch_array($result))
{
echo '<tr>
<td>'.$row['atomicnumber'].'</td>
<td>'.$row['latin'].'</td>
<td>'.$row['english'].'</td>
<td>'.$row['abbr'].'</td>
</tr>';
}
echo '</table>';
}
else
{
/*** if zero results are found.. ***/
echo 'Zero results found';
}
}
else
{
/*** if the resource is not valid ***/
'No valid resource found';
}
}
/*** if we are unable to select the database show an error ****/
else
{
echo 'Unable to select database '.$dbname;
}
/*** close the connection ***/
mysql_close($link);
}
else
{
/*** if we fail to connect ***/
echo 'Unable to connect';
}
}
}
else
{
echo 'Please Choose An Element';
}
?
I got this code from phppro.org tutorials site and i tried to run it. It gives
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established. ....
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'@'localhost' (using password: NO)....
I went to php.net and look it up "Note: A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used."
My questions are:
1-why they put single quotation around mysql_real_escape_string ?
2-They should establish a connection first, then use the $filter array statement with mysql_real_escape_string ?
