mysql_real_escape_string "expects parameter 2 to be resource

Problems with the Windows version of XAMPP, questions, comments, and anything related.

mysql_real_escape_string "expects parameter 2 to be resource

Postby jerrittpace » 28. November 2015 21:10

I am getting an error:

" mysql_real_escape_string() expects parameter 2 to be resource"

My connection is defined in an include file as:

$conn = new mysqli($servername, $username, $password, $dbname);

The connection goes is made fine.

The mysql_real_escape_string code that's getting the error is like

$first_name = mysql_real_escape_string(trim(strip_tags($_POST['first_name'])), $conn);

I am trying to go about making this form in the way I think I have been reading that will make the site and database less susceptible to various attacks; to be honest, I think i am coming to the conclusion that this function is depreciated, and I guess I should probably be looking to just use other tools. But, I am still baffled by this error.

Also, I guess any advise about how to learn about making this form more secure would be greatly appreciated.

Thank you very much for your help!!
jerrittpace
 
Posts: 26
Joined: 14. November 2015 18:54
Operating System: windows

Re: mysql_real_escape_string "expects parameter 2 to be reso

Postby Altrea » 28. November 2015 22:04

Ever tried to print out the contents of the second parameter right before the error occures?

Code: Select all
var_dump($conn); 
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8290
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: mysql_real_escape_string "expects parameter 2 to be reso

Postby jerrittpace » 28. November 2015 22:19

This is what gets returned:

object(mysqli)#1 (19) { ["affected_rows"]=> int(0) ["client_info"]=> string(79) "mysqlnd 5.0.11-dev - 20120503 - $Id: 3c688b6bbc30d36af3ac34fdd4b7b5b787fe5555 $" ["client_version"]=> int(50011) ["connect_errno"]=> int(0) ["connect_error"]=> NULL ["errno"]=> int(0) ["error"]=> string(0) "" ["error_list"]=> array(0) { } ["field_count"]=> int(0) ["host_info"]=> string(20) "127.0.0.1 via TCP/IP" ["info"]=> NULL ["insert_id"]=> int(0) ["server_info"]=> string(21) "5.5.5-10.0.17-MariaDB" ["server_version"]=> int(50505) ["stat"]=> string(137) "Uptime: 528959 Threads: 1 Questions: 18347 Slow queries: 0 Opens: 24 Flush tables: 1 Open tables: 77 Queries per second avg: 0.034" ["sqlstate"]=> string(5) "00000" ["protocol_version"]=> int(10) ["thread_id"]=> int(1052) ["warning_count"]=> int(0) }


The connection is working fine, and the data is imputed into the database, I just cannot get the mysql_real_escape_string to recognize the variable. Like I said, the variable was defined on another page, but that shouldn't cause a problem, should it?
jerrittpace
 
Posts: 26
Joined: 14. November 2015 18:54
Operating System: windows

Re: mysql_real_escape_string "expects parameter 2 to be reso

Postby Nobbie » 28. November 2015 22:29

You cannot mix mysql_ functions with mysqli_ functions. Instead of mysql_real_escape_string you have to use mysqli_real_escape_string after calling mysqlI_connect()

You also should not mix functions with objects. You use "new mysqli()" which does NOT return a handle, but an object. Your script is a horrible mix of mysql functions and mysqli objects, which does not work. The fully correct syntax for your script is:

Code: Select all
$conn = new mysqli($servername, $username, $password, $dbname);

....

$first_name = $conn->real_escape_string(trim(strip_tags($_POST['first_name']));


You should read some tutorials and documentation about that, for example: http://php.net/manual/en/mysqli.real-escape-string.php
Nobbie
 
Posts: 8768
Joined: 09. March 2008 13:04

Re: mysql_real_escape_string "expects parameter 2 to be reso

Postby jerrittpace » 28. November 2015 22:43

Yeah, thank you, that got rid of the errors.

I was trying to learn how to parse the data to be able to limit the SQL injection attacks, so I thought what I was trying to do with the mysql_real_escape_string was to take html and other code from the responses. I am still getting those codes in the responses inside the database, so I guess I'm going to have to go back and figure out how to accomplish this objective a little later.

Any advice about the things I need to pay attention to concerning form data versus security concerns would be much appreciated.
jerrittpace
 
Posts: 26
Joined: 14. November 2015 18:54
Operating System: windows

Re: mysql_real_escape_string "expects parameter 2 to be reso

Postby Nobbie » 29. November 2015 11:05

jerrittpace wrote:Any advice about the things I need to pay attention to concerning form data versus security concerns would be much appreciated.


Usage of escape-functions (as already implemented) and never ever do an "eval()" on foreign data. That should be sufficient.
Nobbie
 
Posts: 8768
Joined: 09. March 2008 13:04

Re: mysql_real_escape_string "expects parameter 2 to be reso

Postby Altrea » 29. November 2015 13:27

PHP security is a really sophisticated topic. You cannot answer that with just a few lines in a forum post.

MySQL real_escape_functions don't filter out any tags, but they escape them so that they are not any longer dangerous for your database statement (but the data can still be dangerous for other uses, like XSS vulnerabilities).

But also for SQL Injections there are better ways to protect, like prepared statements which i would recommend.

If you want to learn more about web application security simply google around a little bit like for "top 10 web security vulnerabilities". There is a massive amount of information.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8290
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: mysql_real_escape_string "expects parameter 2 to be reso

Postby jerrittpace » 30. November 2015 18:20

Thank you once again!!

I am trying to learn how to implement prepared statements, and I really do appreciate your advice!!
jerrittpace
 
Posts: 26
Joined: 14. November 2015 18:54
Operating System: windows

Re: mysql_real_escape_string "expects parameter 2 to be reso

Postby jerrittpace » 01. December 2015 18:23

Do you think using prepared statements makes a form page safe enough to implement on a live site?
jerrittpace
 
Posts: 26
Joined: 14. November 2015 18:54
Operating System: windows

Re: mysql_real_escape_string "expects parameter 2 to be reso

Postby Altrea » 01. December 2015 21:10

As already said, prepared statements can only secure the database side (SQL Injections). But if correctly used prepared statements are doing the best job because all params get automatically escaped, so you cannot forget any of them by accident.

There are other vulnerabilities you need to check if you are working with forms (depending on the type of data and usage) like XSS, CSRF, Session Hacking, Remote File Inclusion. There is not only one right answer and if you want to host a live website it is your task to read all about form security.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8290
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 66 guests