Page 1 of 1

MySQL_real escape_string

Posted: Sat Oct 02, 2010 8:53 am
by sss123
Hi there,

Can anyone see what is wrong with this code? I've been fiddling about with it for days now and just can't get it to work. I know it's something small and silly but I just can't find it!

Thanks in advance for any help. It is much appriciated.

<?php
$con = mysql_connect("**********","**********","***********");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}

mysql_select_db("safe", $con);

$number = preg_replace('/[^0-9]/', '', $_POST['number']);
$number = (int) $number;

$realname = mysql_real_escape_string($_POST['realname');

if (substr_count("@", $_POST['email']) == 1){
$email = mysql_real_escape_string($_POST['email']);
} else {
die("Your email doesn't appear to be valid, please double check it and resubmit");
}

$comments = mysql_real_escape_string($_POST['comments']);

$sql="INSERT INTO Enquiries (Name, Number, Email, Comments, Date)
VALUES
('$realname','$number','$email','$comments', CURDATE())";

if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "";

mysql_close($con)
?>

Thanks again. Kind regards

Mike

Re: MySQL_real escape_string

Posted: Sat Oct 02, 2010 10:14 am
by twinedev
You are missing the closing square bracket for the $_POST['realname']

-Greg

Re: MySQL_real escape_string

Posted: Sat Oct 02, 2010 2:51 pm
by DigitalMind
sss123, read error messages in future

Re: MySQL_real escape_string

Posted: Sun Oct 03, 2010 1:09 pm
by sss123
Hi Greg,

Thank you very much for your useful post. That has solved the problem. However I wonder if you could check one more line of the code:

if (substr_count("@", $_POST['email']) == 1){
$email = mysql_real_escape_string($_POST['email']);
} else {
die("Your email doesn't appear to be valid, please double check it and resubmit");
}

For some reason, even if a normal email address (e.g. my own) is entered, it won't accept it. It displays "Your email doesn't appear to be valid..."

Thanks again for your time and help. It is much appriciated.

Kind regards

Mike

Re: MySQL_real escape_string

Posted: Sun Oct 03, 2010 5:04 pm
by John Cartwright
Why don't you actually try validating against the email, instead of just checking for the @ symbol.

Code: Select all

if (!empty($_POST['email']) && filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
   echo 'valid email';
} else {
   echo 'not valid email';
}

Re: MySQL_real escape_string

Posted: Sun Oct 03, 2010 6:53 pm
by sss123
Hi John,

Thank you for your post. I will replace my code with yours!

What does validating actually do?

Kind regards,

Mike

Re: MySQL_real escape_string

Posted: Sun Oct 03, 2010 7:13 pm
by John Cartwright
–verb (used with object), -dat·ed, -dat·ing.
1.
to make valid; substantiate; confirm: Time validated our suspicions.
It ensures your email is of proper format.