[RESOLVED] Re-designing a flash site in (x)html

[Nightwalker83]

Hi,

For my major assignment in my php class I have decided to redo the website I created in my flash class. While I have got the majority of the php sorted there are a few things I am confused about.

Number 1:

In flash after the login information was checked and successfully compared the user logs in to the website, sometimes user will be shown a new frame. How do do that re-direct/log-in type thing with html?

Thanks,


Nightwalker

[SambaNeko]

My typical design of a login page (or any page with form submission) goes something like this:

Code:

<?php
$error_message = false;
if(isset($_POST["formSubmitted"])){
  $desired_result = false;
  //process form - validate input, do any database operations, etc.
  //set $desired_result to true when conditions are satisfied
  
  if($desired_result){
    //give user a login cookie, redirect them to where they should go next
    header("Location: loggedIn.php");
    exit;
  }else{
    $error_message = "There was a problem with your login.";
  }
}
?>
<html>
<head>
<body>

<?php if($error_message){echo "<p>$error_message</p>";}?>
<form action="" method="POST">
...
<input type="submit" name="formSubmitted" value="Submit"/>
</form>

</body>
</html>

When the user first visits the page, $_POST["formSubmitted"] is not set, so the code for processing the form will be skipped. Also $error_message is false, so no error will display. They then submit the form (leaving the "action" attribute empty on a form will have it submit to the same page it's on), and you handle their data as needed. If the result of your script is "good," send them off to their next location, otherwise inform them of their mistake and let them try again (by not forwarding them away from the login page - the form below the PHP will load up again).

Makes sense?...

[Nightwalker83]

Thanks, I'll have to try it and see if it's what I'm looking for.

[Nightwalker83]

I have created a php page template (.dwt.php) file! I have a .php file that already contains working php code will that code be deleted if I apply the template to that php page?

[SambaNeko]

Don't know, never used Dreamweaver.

[Nightwalker83]

Don't know, never used Dreamweaver.

I don't think it would but just in case I have a a backup of the php code so if the template does override the code I can apply the template manually.

[Nightwalker83]

it's evident with the code you posted that the server you're using has magic_quotes_gpc on (otherwise, no, the code you posted would not run if you had a single quote in either of those fields). like mentioned earlier, this is a deprecated feature and isn't something you should be [implicitly] supporting. you should use a recursive function that strips those slashes from the super globals, and then prepare them for the database (via the mysql_real_escape_string() function or a prepared statement using mysqli or pdo) yourself later on.

To enable the code to work properly without magic_quotes_gpc (magic_quotes_gpc turned off) I know I need to check the php.ini edit and edit it to turn off magic_quotes_gpc. However, is there anything in the code I need to change? I'm guessing phpdev, wampserver, etc initially have magic_quotes_gpc turned on because that's how I've been testing my code and each time it works.

This is the website I have found so far! It pointed me to the above mentioned php.ini file. The site also mentions:

By default magic_quotes_gpc was turned off in all 3.x.x versions of PHP. However, all PHP 4.x.x versions have this option turned on by default. To insert a little bit of personal opinion I think this was a horrible mistake because I feel that magic_quotes_gpc is problimatic in professional applications, and encourages sloppy programming behaviour. That is however just my opinion, and the FACT is that probably the version of PHP you are using has this option on by default.

As I read that I would have been better off sticking with version 3.x.x of PHP rather than upgrading if the creators are going to go backwards during the implementation of features.

[kows]

I am pretty sure you put this post in the wrong place. it's a good thing I decided to start reading this forum again!

anyway, you would be crazy to think you would be better off using PHP3 over, say, PHP5. even PHP4. magic_quotes_gpc provides a false security to SQL injection, and does encourage sloppy programming. the code you provided was evidence of that.

to "make code work" without magic_quotes_gpc, you simply need to be aware of the dangers of trusting your user's input. any untrustworthy data (no user's input is ever trustworthy -- so this means all input) needs to be sanitised before being used within an SQL query, for example. this counts for inserts, selects, updates, deletes. if you aren't up to adopting a database extension that uses prepared statements (like PDO or MySQLi), you can use the function mysql_real_escape_string() instead. eg.

PHP Code:

<?php

  $data = "My name is 'Bob'!";

  $data = mysql_real_escape_string($data);

  $sql = "SELECT * FROM table WHERE data='$data'";


  //without a call to mysql_real_escape_string(), this SQL query would fail because of the single quotes contained in $data.
?>

there isn't really much else to it.

[Nightwalker83]

there isn't really much else to it.

Nope, this is the correct forum for what I plan on doing which is redesigning website using xhtml.

So all I have to do is type:

$data = "My name is Bob!";

$data = mysql_real_escape_string($data);

$sql = "SELECT * FROM table WHERE data=$data";

that is removing the ' single quotes but still leaving the double quotes?

[kows]

uh, no. you type exactly what my example said (otherwise, why would I have posted an example?). mysql_real_escape_string() does exactly what the name suggests; it's a mysql centered function that escapes strings. it will escape quotes and a few other characters that mysql would like you to.

if you are unsure about what a function does, you should really try to look it up.

my comment about this being in the wrong forum was because the post you quoted me in was from the PHP forum, and this is a forum for HTML, CSS and other misc languages. there is a separate forum for PHP, and PHP-centric posts should generally be put into that forum. on top of that, this thread you created is a month old, so I'd think you wouldn't need to use it to ask for more help, or whatever. not that I'm a moderator, or really have any sort of authority on this subject whatsoever, but I'm just saying! I suppose it doesn't matter a huge deal either way.

[Nightwalker83]

uh, no. you type exactly what my example said (otherwise, why would I have posted an example?). mysql_real_escape_string() does exactly what the name suggests; it's a mysql centered function that escapes strings. it will escape quotes and a few other characters that mysql would like you to.

if you are unsure about what a function does, you should really try to look it up.

Sorry, I thought it was an example of what not to type. It looks to me like the only thing I would have to change with say this code would be putting:

Code:

$cid = mysql_real_escape_string($cid);
($result = mysql_query("SELECT * FROM customers where cid= '$cid'"))

instead of just:

Code:

($result = mysql_query("SELECT * FROM customers where cid= '$cid'"))

In the above case $cid was a php variable used in this concept:

PHP Code:

//convert the POST variables from flash to local variables
$cid = $_POST['cid']; 


On the left you have the php variable and on the right the flash variable. Would I need to change the $cid to mysql_real_escape_string($cid); if I were saving data to the database or only when I am retrieving it?

my comment about this being in the wrong forum was because the post you quoted me in was from the PHP forum, and this is a forum for HTML, CSS and other misc languages. there is a separate forum for PHP, and PHP-centric posts should generally be put into that forum. on top of that, this thread you created is a month old, so I'd think you wouldn't need to use it to ask for more help, or whatever. not that I'm a moderator, or really have any sort of authority on this subject whatsoever, but I'm just saying! I suppose it doesn't matter a huge deal either way.

Ah ok! Maybe I thought about putting this thread in the php section since the website I will be creating will use php. However, I was unsure at the time as to where this thread belonged so I put in the html section.

[kows]

I'm not sure if you've been reading along or not.. but, to quote myself (important things bolded):

to "make code work" without magic_quotes_gpc, you simply need to be aware of the dangers of trusting your user's input. any untrustworthy data (no user's input is ever trustworthy -- so this means all input) needs to be sanitised before being used within an SQL query, for example. this counts for inserts, selects, updates, deletes. if you aren't up to adopting a database extension that uses prepared statements (like PDO or MySQLi), you can use the function mysql_real_escape_string() instead.

[penagate]

Moved

[Nightwalker83]

I'm not sure if you've been reading along or not.. but, to quote myself (important things bolded):

Ah ok, I will see if I can get it working! If not I will ask my lecturer about the problem or post here about it.

Moved

Thanks!

[Nightwalker83]

Ok I have tested on php using the following:

In php.ini:

Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc =off

In the *.php file:

PHP Code:

//select user record where username and password matches
$query = "select * from Customers where mysql_real_escape_string(Username='mysql_real_escape_string($user)'AND Password=' mysql_real_escape_string($password)')";
if (!($result = mysql_query($query))){ //if query fails echo message and exit
echo 'authenticated=queryFailed';
exit;
} 


It all seems to be working! I just hope the above means that its working without magic quotes.

Edit:

Although, in this file:

PHP Code:

<?php
// Database connection variables
$dbDatabase = "BazaarCeramics";
//convert the post variables from flash to local variables
$username = $_POST['username'];
$password = $_POST['uPassword'];
//connect to server or exit
if (!($conn = mysql_connect("localhost", "admin", "") )){
echo 'result=connection+failed';
exit;
}
//connect to database or exit
if (!(mysql_select_db($dbDatabase, $conn))){
echo 'message=db+selection+failed';
exit;
}
//select user record where username and password matches
$query = "select * from users where username='$username'AND password='$password'";
if (!($result = mysql_query($query))){ //if query fails echo message and exit
echo 'authenticated=queryFailed';
exit;
}
if ($row = mysql_fetch_array($result)) { //if user exists
//the following is just one of many different ways of retrieving the information from the select query
//the fetch_array command returns one record/row from the db formatted as an indexed or associative array.

echo "authenticated=true";
}else { //user doesn't exist
echo "authenticated=false";
}
?>

I have not added the real escape code and the code still works.

[kows]

you're not doing it correctly.

please actually read my post and look at the example given to correctly implement using this function into your code. you can't just put it inside of your query a bunch of times. you are sanitising user INPUT. you are not sanitising your own code. you sanitise the variables that you cannot predict, or that could potentially contain something harmful. generally, this means ALL input.

I hope you understand that using mysql_real_escape_string() on your variables does not just "make or break" your script. it does exactly what it says. it escapes a string for any characters that MySQL might be unhappy with. this means quotes and a few other characters (all detailed on the function's page at PHP.net). however, if you don't present an invalid query to MySQL (meaning one that does not need characters escaped), then everything is going to work fine. but, for the code you're running above, you're vulnerable to an SQL injection (quick example in a previous post I've made). if you put the string ' OR 1=1 # in the username field, and anything in the password field, your new SQL query would be:

select * from users where username='' OR 1=1 #'AND password='whatever' (bolded what our "username" would do to the query)

of course, this statement is true, because the username can either be an empty string, or 1 can be equal to 1. 1 is always equal to 1, and thus the user would be automatically logged in. note that the hash/pound symbol ("#") is a comment in MySQL (the rest of the stuff making sure the password also matches is simply ignored).

magic_quotes_gpc will give you some protection against this, but it's a false sense of security and you should really be aware of the problems you are opening yourself up to. if you ran this script on a server without magic_quotes_gpc (which you've said you've now turned off), you would be vulnerable to an attack. instead, you can apply mysql_real_escape_string() to your $username variable, and hash your $password variable (assuming you're using encryption, otherwise, use mysql_real_escape_string() on it as well).

hope you understood that. if you don't, please ask questions. I hate seeing people struggle.

[Nightwalker83]

hope you understood that. if you don't, please ask questions. I hate seeing people struggle.

I took out the typo in the above code so it now says:

PHP Code:

$query = "select * from Customers where Username='mysql_real_escape_string($user)'AND Password='mysql_real_escape_string($password)')"; 


The example I was trying to follow was the 1st example here.

[kows]

well, you're not following it at all. look at the example in my post. it doesn't get any more basic than that. you have a variable. you use the PHP function mysql_real_escape_string() on it. then you make your query. that's all you have to do. the code you're posting wouldn't protect you from an attack and would literally check for the text "mysql_real_escape_string(username)" as the entire username.

and lastly, if you're not sure what sprintf() does, don't try to follow an example using it ;)

edit: and, you need to have a space before the "AND" after "username=''" in your query.

[Nightwalker83]

I just asked my lecturer and he said that php5.3.0 and onward has magic quotes turn off so there is no need to use the mysql_real_escape_string() which, is also backed up by the php manual.

However, if you are using php 5 or before magic quotes is supported! Kows, I am guessing you are using version 5 of php because of the above posts. I will be downloading the latest version of php which uses a different method of accounting for the slash in the post.

[kows]

uhhh.. I have no idea what you're thinking, or what you misunderstood from what your lecturer told you, or what you misunderstood from reading the PHP manual, but you need to step back and just ... read. you seriously are not getting this.

magic_quotes_gpc being defaulted to off in newer versions of PHP doesn't mean you don't need to worry about anything. magic_quotes_gpc being off means you DO need to worry about SQL injection. it's a deprecated feature that is still being used by many users and many hosts, and this is bad. it provides a false sense of security (like mentioned above).

let me break it down. take this example of code:

PHP Code:

<?php
  print_r($_POST);
?>
<form action="<?php echo __FILE__; ?>" method="post">
  <input type="hidden" name="test" value="'Hello' &quot;there&quot;" />
  <input type="submit" value="POST" />
</form>

now, if you are using magic_quotes_gpc, then all user input ($_POST, $_GET) basically has addslashes() ran on it. this adds a slash to every single quote, double quote, backslash, and null byte. this means that when you submit the script above, it will produce the following:

Code:

Array ( [test] => \'Hello\' \"there\" )

this means that the input to this script has been sanitised. however, this is an unreliable sanitation because it relies on a server variable being set. without that variable being set, this script is vulnerable. that's bad. magic_quotes_gpc being on also means that you would need to use stripslashes() on anything you want to output to the browser. if you're not even using a database, this is completely unnecessary and is a waste of resources (even if the resource usage isn't very taxing). anyway, if you don't have magic_quotes_gpc on, you would just get plain text:

Code:

Array ( [test] => 'Hello' "there" )

this is where you might be asking yourself what exactly is bad about this? well, if you actually read through my last post, you should be able to piece it together. if not, I'll go through it again. it's all about A) SQL injection, and B) that someone entering a certain character can break your script altogether. how? take the following script for example (magic_quotes_gpc off):

PHP Code:

<?php
  $sql = "SELECT * FROM users WHERE username='{$_POST['username']}' AND password='{$_POST['password']}'";
  echo $sql;
?>
<form action="<?php echo __FILE__; ?>" method="post">
  <input type="text" name="username" value="test" />
  <input type="password" name="password" value="test" />
  <input type="submit" value="POST" />
</form>

for a legitimate user, we can submit the script like normal. we will get the following query:

Code:

SELECT * FROM users WHERE username='test' AND password='test'

this is fine. right? right. a legitimate user can use this script to login, or do whatever, and everything will be fine. but what if he has a typo, and types his username as test' instead of test? our SQL changes:

Code:

SELECT * FROM users WHERE username='test'' AND password='test'

this will simply produce an error because our SQL is invalid. if errors are suppressed, then the user will just see something about not finding a username match, or whatever. that's kind of fine, too, but not ideal. now, what if an illegitimate user wants to gain access to this system? well, you're not escaping anything in this script. if the user types in the username as ' OR 1=1 # instead of test, then our SQL changes again:

Code:

SELECT * FROM users WHERE username='' OR 1=1 #' AND password='test'

this statement will always be true because either the username needs to be blank, or 1 needs to be equal to 1. 1 is, obviously, always equal to 1. the hash represents a comment, and the rest of the query is simply ignored at this point. this will let an illegitimate user log into your system. this is, for obvious reasons, bad.

so, how do we stop it? introducing the function I've been trying to teach you about for much longer than I think I should have needed to -- mysql_real_escape_string(). what does this function do? it's very similar to magic_quotes_gpc/addslashes(), in that it escapes special PHP characters. however, this function is made for MySQL specifically (meaning you need a MySQL connection in your script to even use it), and so it actually escapes some other MySQL specific characters, too. you can see the list here. now, what if we use this function to escape our variables in the previous script? "how to use" example:

PHP Code:

<?php
  $username = mysql_real_escape_string($_POST['username']);
  $password = mysql_real_escape_string($_POST['password']);
  $sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
  echo $sql;
?>
<form action="<?php echo __FILE__; ?>" method="post">
  <input type="text" name="username" value="test" />
  <input type="password" name="password" value="test" />
  <input type="submit" value="POST" />
</form>

so, what has this done for us? let's see. if we submit the script as is (the legitimate user), we get this:

Code:

SELECT * FROM users WHERE username='test' AND password='test'

this will log the test user in. if our legitimate user makes a typo (test' instead of test), we get this:

Code:

SELECT * FROM users WHERE username='test\'' AND password='test'

this will be a valid query that returns a result set of 0. this is ideal. and what if we have an illegitimate user trying to break into our system? (' OR 1=1 # instead of test)

Code:

SELECT * FROM users WHERE username='\' OR 1=1 #' AND password='test'

so what does this do? well, the quote was escaped by the function, and thus MySQL is searching for a user that is actually named the string "' OR 1=1 #" -- this will most likely come up as a result set of 0. an illegitimate user can no longer break into your system.

so that's it. that's how you use the function, and why you might need to use the function. having magic_quotes_gpc turned off in the future does NOT automatically make you safe. actually, it makes you more vulnerable than if you had it on. that doesn't mean you should have it on, though; it just means that you should be aware of the way your scripts might be exploited so that you can prevent it.

if you get into object oriented programming in PHP, you might run into either PDO or MySQLi, which are object based database handlers. they both support prepared statements that do not require you to use mysql_real_escape_string(). if you're having this much trouble with this function, though, you do not want to start poking your head in that direction yet.

if you don't understand at this point, I simply give up.

[Nightwalker83]

PHP Code:

<?php
  $username = mysql_real_escape_string($_POST['username']);
  $password = mysql_real_escape_string($_POST['password']);
  $sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
  echo $sql;
?>
<form action="<?php echo __FILE__; ?>" method="post">
  <input type="text" name="username" value="test" />
  <input type="password" name="password" value="test" />
  <input type="submit" value="POST" />
</form>

From comparing your before and after mysql_real_escape_string codes the only difference I can see is that to the second code you added:

PHP Code:

  $username = mysql_real_escape_string($_POST['username']);
  $password = mysql_real_escape_string($_POST['password']); 


I added the above lines to my code whenever I inserted, selected, updated or deleted data. I modified the code as needed to suit the different variables I was using but the majority of the code remained the same. This is some of the code I used:

PHP Code:

  $username = mysql_real_escape_string($_POST['Aaron']);
  $password = mysql_real_escape_string($_POST['Aaron']); 
$insert = "insert into users (username, password) values ('$username','$password')"; 


I hope I understood correctly this time.

[kows]

yes, the code will basically remain the same. you're just storing sanitised versions of user input rather than raw user input; this makes them safe. that is, literally, all you needed to do!

[Nightwalker83]

yes, the code will basically remain the same. you're just storing sanitised versions of user input rather than raw user input; this makes them safe. that is, literally, all you needed to do!

Although, I haven't been noticing any difference when the user accidentally enters the wrong data. I think this might be because I was testing on a flash site where validation was used from flash code to check the user details were correct before sending them to the php script.

Edit:

Also, do I need to add real escape to the post strings of a mail form?

PHP Code:

<?php
sendTo = "myemail";
$subject = . $_POST["uSubject"];
$message = "Customers name: " . $_POST["Username"] ."\n\r"
."Customers email:" . $_POST["uEmail"] . "\n\r"
."Customers address:" . $_POST["uAddress"] . "\n\r" ;
$header = "From: flash application";
mail($sendTo, $subject, $message, $header);
?>

[kows]

no. you don't need to escape things for email. mysql_real_escape_string() is just to prevent SQL injection for MySQL.

[penagate]

Email headers (To, From, Subject) must be sanitised but the email body can be left as is.

[Nightwalker83]

no. you don't need to escape things for email. mysql_real_escape_string() is just to prevent SQL injection for MySQL.

Ah ok!

Email headers (To, From, Subject) must be sanitised but the email body can be left as is.

I am confused as to why you say that when kows says otherwise?

[penagate]

What if someone posts a subject which contains the string \r\nTo:someoneelse?

At the very least, strip newline characters out of the header fields.

[kows]

penagate is right. I was really just referring to using mysql_real_escape_string for it.

[Nightwalker83]

PHP Code:

<?php
sendTo = "myemail";
$subject =mysql_real_escape_string (. $_POST["uSubject"]);
$message = "Customers name: " mysql_real_escape_string (. $_POST["Username"])."\n\r"
."Customers email:" mysql_real_escape_string(. $_POST["uEmail"]) . "\n\r"
."Customers address:" mysql_real_escape_string(. $_POST["uAddress"]) . "\n\r" ;
$header = "From: flash application";
mail($sendTo, $subject, $message, $header);
?>

I hope that is the correct way to write the code!

Edit:

For some reason the php seems to closing after I include the real escape string. Before I added the real escape string the code was working perfectly but now its not. I checked the errors.txt and it says:

[14-Oct-2009 20:18:59] PHP Fatal error: Call to undefined function: mysql_real_escape_string() in c:\phpdev\www\flash\dynamicwebsite\createbazaarceramics.php on line 42

The error is the same for all the php files!

Edit:

Found the answer:

source: http://www.quirm.net/punbb/viewtopic.php?pid=191#p191

The problem appears to be specifically with the mysql_real_escape_string() function - which is a function that is inbuilt within the PHP 4.3.0 core.

I was testing my code using php 4.2.3 guess I should stick to WAMPServer or wait for the full release of phpdev 5.

[kows]

you also can't use mysql_real_escape_string() unless you have a valid mysql connection. you should probably just use addslashes() or create your own function to strip new line characters (\r and \n).

make sure you're concatenating strings correctly, too. in whatever example you posted, you weren't doing it correctly:

PHP Code:

//right:
$var = "some text" . function($var) . "concatenation";

//wrong (parse error):
$var = "some text" function(. $var) . "concatenation"; 


[SambaNeko]

you should probably just use addslashes()

-.-_-.-

Rule of thumb: If you're using addslashes and stripslashes, you probably shouldn't be.

Is it a different context that makes it recommendable here? (Asking to learn.)

[Nightwalker83]

you also can't use mysql_real_escape_string() unless you have a valid mysql connection. you should probably just use addslashes() or create your own function to strip new line characters (\r and \n).

make sure you're concatenating strings correctly, too. in whatever example you posted, you weren't doing it correctly:

PHP Code:

//right:
$var = "some text" . function($var) . "concatenation";

//wrong (parse error):
$var = "some text" function(. $var) . "concatenation"; 


Ah ok, I am not sure why the "." was in the original code anyway. However, is there any reason to have the real escape string in there since it is not sending the information to a database?

I will see if the rest of the code works on the computers at school in reference to the quote below:

For some reason the php seems to closing after I include the real escape string. Before I added the real escape string the code was working perfectly but now its not.

I'm pretty sure that it is a software problem because it seem to take forever to connect to localhost.

[kows]

this is one of the only situations I would ever suggest using addslashes()! but yes, it's just the context. you need to escape new line characters. you can either do it manually with a replace, or just use addslashes. I'm not sure there would be any easier way to do it.

[penagate]

addslashes will not touch newline characters and furthermore the slash-to-escape notation isn't supported in email headers.

Just use str_replace.

[Nightwalker83]

I have solved the problem of hy my code wasn't working as stated in post #29. The problem is that the "mysql_real_escape_string" is interfering with my code and not allowing it to execute. Is there any around it? If not a won't add the "mysql_real_escape_string" to my code. I can across the solution while trying to solve the "Waiting for localhost" problem.

[SambaNeko]

Like kows said, mysql_real_escape_string() cannot be used without connecting to a MySQL database first. It's not really appropriate for use in your code on post #29, because you're not dealing with database input. Do like penagate said and use str_replace to get rid of newline characters.

Code:

$newLines   = array("\r\n", "\n", "\r");
$subject =  str_replace($newLines,"",$_POST["uSubject"]);

[Nightwalker83]

Like kows said, mysql_real_escape_string() cannot be used without connecting to a MySQL database first. It's not really appropriate for use in your code on post #29, because you're not dealing with database input. Do like penagate said and use str_replace to get rid of newline characters.

Code:

$newLines   = array("\r\n", "\n", "\r");
$subject =  str_replace($newLines,"",$_POST["uSubject"]);

Thanks for that! However, I have been running in to trouble with the "mysql_escape_string". It seems to be interfering with my php code stopping it from working.

The data now gets submitted to the database! In some scripts I had a double up of the same variables possibly because of adding the "mysql_escape string" to the code.

The above quote refers to the fact that I had to remove the "mysql_escape_string" code to get the scripts working.

Edit:

I don't understand why the commented out part doesn't insert the variable in to the database?

PHP Code:

//insert data into tables
  //$username = mysql_real_escape_string($_POST['Aaron']);
  //$password = mysql_real_escape_string($_POST['Aaron']);
$insert = "insert into users (username, password) values ('Aaron','Aaron')"; 


However, if I type the data straight into the values section it works. So if I use:

PHP Code:

 $username = mysql_real_escape_string($_POST['Aaron']);
 $password = mysql_real_escape_string($_POST['Aaron']);
$insert = "insert into users (username, password) values (' $username', '$password')"; 


It just puts blanks fields in the users table! However, if I do:

PHP Code:

$insert = "insert into users (username, password) values ('Aaron','Aaron')"; 


It inserts the data into the created fields.

[visualAd]

Thanks for that! However, I have been running in to trouble with the "mysql_escape_string". It seems to be interfering with my php code stopping it from working.



The above quote refers to the fact that I had to remove the "mysql_escape_string" code to get the scripts working.

What do you mean by "not working"? Do you get an error, does it not save it? Please elaborate.

[Nightwalker83]

What do you mean by "not working"? Do you get an error, does it not save it? Please elaborate.

I've edited the above post #37!

[SambaNeko]

Code:

$username = mysql_real_escape_string($_POST['Aaron']);
$password = mysql_real_escape_string($_POST['Aaron']);
$insert = "insert into users (username, password) values (' $username', '$password')";

My assumption would be that you haven't connected to a database, mysql_real_escape_string() is failing as a result, and - intentionally or not - you have the error message suppressed. This causes $insert to resolve to "insert into users (username, password) values ('','')". As has been repeated here, you must connect to a MySQL database before using mysql_real_escape_string().