By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
428,591 Members | 650 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 428,591 IT Pros & Developers. It's quick & easy.

$mysqli->real_escape_string() not working

P: 72
Hi there,

Can anyone tell me why the escape_string routines work on my PC but not on the server?

I am using object version of mysqli

PC PHP version = 5.2.9-2
Server PHP version = 5.3.2-1

Expand|Select|Wrap|Line Numbers
  1. if ($mysqli->set_charset("utf8")) {
  2. }
  4. $okName = $mysqli->real_escape_string($_POST['Name']);
  5. $okName = htmlspecialchars(okName);
test string = (Toby is a good <>'"-/)

output on my pc = (Toby is a good &lt;&gt;\'\&quot;-/)
output on server = (Toby is a good <>'"-/), ie unchanged

May 17 '14 #1

✓ answered by Luuk

If you see a '<' in your browser,
Than the source might look like '&lt;'

Share this Question
Share on Google+
7 Replies

Expert 100+
P: 1,035
Change line 5 to:
Expand|Select|Wrap|Line Numbers
  1. $okName = htmlspecialchars($okName);
May 17 '14 #2

P: 72
Thanks for your reply Luuk.

I did have $okName in my program. That was a typing error in my question. Sorry.

Any other ideas? What can be the difference between the systems on my PC and the server?
May 19 '14 #3

Expert 100+
P: 1,035
How are you viewing the output of your server?
If you do this in a browser, did you do a 'view source'?
May 19 '14 #4

P: 72
Thanks for your reply Luuk.

This is part of the code for a registration form. I save the user info to a mysql database. I am trying to validate the user input to eliminate potential problems such as chars "/<>'"\".

I test the code on my PC before migrating it to the server. So the code is the same in both environments.

I look at the db records created and noticed the functions have no effect on the server. I use the app "mySQL Query Browser" to look at the records on my pc and a browser to display server records. No haven't use "view source" to do that. Server is down right now. Output

db record on my pc = (Toby is a good &lt;&gt;\'\&quot;-/)
db record on server = (Toby is a good <>'"-/), ie unchanged

thanks for your help. Ideas? Here is a bit more of my code .

Expand|Select|Wrap|Line Numbers
  1.     $okName = $mysqli->real_escape_string($_POST['Name']);
  2.     $okName = htmlentities($okName);
  4.     $sql = "INSERT INTO OnlineTbl (UserName,..) VALUES ('okName',..)";
  6.     if (!$mysqli->query($sql)) {
  7.         die("Error: ".$mysqli->error);
  8.     }
May 20 '14 #5

Expert 100+
P: 1,035
If you see a '<' in your browser,
Than the source might look like '&lt;'
May 20 '14 #6

P: 72
Yes, you are right.

I didn’t realise the browser would convert chars back automatically.

Thank you very much Luuk. Problem solved.
May 24 '14 #7

P: 13
Your server may have different configuration/version of mysql.
Jun 8 '14 #8

Post your reply

Sign in to post your reply or Sign up for a free account.