Apache Friends Support Forum

[jerrittpace]

I am getting an error:

" mysql_real_escape_string() expects parameter 2 to be resource"

My connection is defined in an include file as:

$conn = new mysqli($servername, $username, $password, $dbname);

The connection goes is made fine.

The mysql_real_escape_string code that's getting the error is like

$first_name = mysql_real_escape_string(trim(strip_tags($_POST['first_name'])), $conn);

I am trying to go about making this form in the way I think I have been reading that will make the site and database less susceptible to various attacks; to be honest, I think i am coming to the conclusion that this function is depreciated, and I guess I should probably be looking to just use other tools. But, I am still baffled by this error.

Also, I guess any advise about how to learn about making this form more secure would be greatly appreciated.

Thank you very much for your help!!

[Altrea]

Ever tried to print out the contents of the second parameter right before the error occures?

Code: Select all

var_dump($conn); 

[jerrittpace]

This is what gets returned:

object(mysqli)#1 (19) { ["affected_rows"]=> int(0) ["client_info"]=> string(79) "mysqlnd 5.0.11-dev - 20120503 - $Id: 3c688b6bbc30d36af3ac34fdd4b7b5b787fe5555 $" ["client_version"]=> int(50011) ["connect_errno"]=> int(0) ["connect_error"]=> NULL ["errno"]=> int(0) ["error"]=> string(0) "" ["error_list"]=> array(0) { } ["field_count"]=> int(0) ["host_info"]=> string(20) "127.0.0.1 via TCP/IP" ["info"]=> NULL ["insert_id"]=> int(0) ["server_info"]=> string(21) "5.5.5-10.0.17-MariaDB" ["server_version"]=> int(50505) ["stat"]=> string(137) "Uptime: 528959 Threads: 1 Questions: 18347 Slow queries: 0 Opens: 24 Flush tables: 1 Open tables: 77 Queries per second avg: 0.034" ["sqlstate"]=> string(5) "00000" ["protocol_version"]=> int(10) ["thread_id"]=> int(1052) ["warning_count"]=> int(0) }


The connection is working fine, and the data is imputed into the database, I just cannot get the mysql_real_escape_string to recognize the variable. Like I said, the variable was defined on another page, but that shouldn't cause a problem, should it?

[Nobbie]

You cannot mix mysql_ functions with mysqli_ functions. Instead of mysql_real_escape_string you have to use mysqli_real_escape_string after calling mysqlI_connect()

You also should not mix functions with objects. You use "new mysqli()" which does NOT return a handle, but an object. Your script is a horrible mix of mysql functions and mysqli objects, which does not work. The fully correct syntax for your script is:

Code: Select all

$conn = new mysqli($servername, $username, $password, $dbname);

....

$first_name = $conn->real_escape_string(trim(strip_tags($_POST['first_name']));

You should read some tutorials and documentation about that, for example: http://php.net/manual/en/mysqli.real-escape-string.php

[jerrittpace]

Yeah, thank you, that got rid of the errors.

I was trying to learn how to parse the data to be able to limit the SQL injection attacks, so I thought what I was trying to do with the mysql_real_escape_string was to take html and other code from the responses. I am still getting those codes in the responses inside the database, so I guess I'm going to have to go back and figure out how to accomplish this objective a little later.

Any advice about the things I need to pay attention to concerning form data versus security concerns would be much appreciated.

[Nobbie]

Any advice about the things I need to pay attention to concerning form data versus security concerns would be much appreciated.

Usage of escape-functions (as already implemented) and never ever do an "eval()" on foreign data. That should be sufficient.

[Altrea]

PHP security is a really sophisticated topic. You cannot answer that with just a few lines in a forum post.

MySQL real_escape_functions don't filter out any tags, but they escape them so that they are not any longer dangerous for your database statement (but the data can still be dangerous for other uses, like XSS vulnerabilities).

But also for SQL Injections there are better ways to protect, like prepared statements which i would recommend.

If you want to learn more about web application security simply google around a little bit like for "top 10 web security vulnerabilities". There is a massive amount of information.

[jerrittpace]

Thank you once again!!

I am trying to learn how to implement prepared statements, and I really do appreciate your advice!!

[jerrittpace]

Do you think using prepared statements makes a form page safe enough to implement on a live site?

[Altrea]

As already said, prepared statements can only secure the database side (SQL Injections). But if correctly used prepared statements are doing the best job because all params get automatically escaped, so you cannot forget any of them by accident.

There are other vulnerabilities you need to check if you are working with forms (depending on the type of data and usage) like XSS, CSRF, Session Hacking, Remote File Inclusion. There is not only one right answer and if you want to host a live website it is your task to read all about form security.