Mysql Real Escape String and normal string

Question

"I am using flash as3, php and mysql"

What is the difference between:

$username =      $_POST['username'];
$password = md5( $_POST['password']);

and

$username = mysql_real_escape_string(     $_POST['username']);
$password = mysql_real_escape_string(md5( $_POST['password']));

I am sending and retrieving variables from flash AS3 to php and back to AS3 again. The former one (without mysql_real_escape_string) works fine. But the later one gets an error in flash. The error message is: "Parameter text must be non-null."

I tried "echo" (display) both result, the results are the same. Very strange.. Anyone have any idea?

Answer 1

Remember that mysql_real_escape_string() needs an open database connection to work properly; if you're calling it before using mysql_connect, it won't have the desired effect.

Answer 2

Error messages are there to help you. Read them.

The error message is: "Parameter text must be non-null."

This would seem to indicate that either your username or the password string is null (empty) and mysql_real_escape_string or (more likely) your md5 function refuses to accept null strings as input. Test for a null string first and you should be fine.

Also, MD5 hashes contain only alphanumeric characters, all of which are safe to use pretty much anywhere. You don't need to pass them through mysql_real_escape_string because the hashing process will have already sanitized the input.

Answer 3

To make it clearer what the other answers correcty state:

I may be fine to use your first version, if you want to pass this variable to flash. It WON'T be ok to use your first version, if you want to use this variable in a database query.

Meaning:

OK

<param name="FlashVars" 
value="vGetData=./your/path/yourData.php?params=<?php echo $username; ?>" />

NOT OK

$query = "SELECT something FROM users WHERE username=".$username;

I assume you first authorise the user and then send the data to the flash. If so, there doesn't seem to be a problem. Right?

Answer 4

The first form will do exactly what you think: get the submitted values and MD5 into your variables.

The second form will also escape any "dangerous" characters if there are any. Try it with a username containing quotes and you will get it.

Answer 5

You just need the mysql_real_escape_string if you want to use a string in a query that is then executed by the mysql_query function. And furthermore you just need this function if you cannot ensure that this string doesn’t contain certain characters that can violate the integrity of the query you intended.