MyBB Community Forums

MyBB Community Forums > Community > General Discussion > Web Development and Administration > mysql_real_escape_string not working
Full Version: mysql_real_escape_string not working
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Juniper

2012-04-10, 12:25 PM
Hi everyone,

I'm using MyBB to help me grab some data from a custom table i put in the same database. Now this goes all fine and dandy until i want to grab data based on some user input.

I'm currently using this:
$select = sprintf("SELECT * FROM my_table WHERE user_input= %s", mysql_real_escape_string($user_input));

But i keep getting the message:
Quote:MyBB has experienced an internal SQL error and cannot continue.

SQL Error:
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Query:
SELECT * FROM my_table WHERE user_input=

I'm completely stuck here and the only way I seem to get this to work is to remove the mysql_real_escape_string, but that kinda defeats the whole purpose of me using sprintf here.

Any thoughts on what could be causing this would be greatly appriciated.
Thanks in advance,

Karin

Euan T

2012-04-10, 12:30 PM
If you're using MyBB, I highly advise using MyBB's database handler. For more information, see here: http://wiki.mybb.com/index.php/Database_Methods

All you need to do is include global.php and define IN_MYBB if you're using an external PHP file then you can do the following:

$data = $db->simple_select('my_table', '*', "userinput = '".$db->escape_string($mybb->input['user_input'])."'");
while ($row = $db->fetch_array($data))
{
//do something
}

Juniper

2012-04-10, 12:39 PM
Thank you for your reply euantor.

I was in the understanding that I still need to write my own query while using those. This is simply constructing the query so i can pass them on to a method like $db->write_query.
Or am i going about this all wrong?

Charlie Hadden

2012-04-10, 12:40 PM
You forgot quotes.

$select = sprintf("SELECT * FROM my_table WHERE user_input='%s'", mysql_real_escape_string($user_input));

Juniper

2012-04-10, 12:49 PM
I will look into that euantor, thanks for taking time to explain this to me.

Charlie thank you so much, I feel so silly now.
Credited you both with a +1 rep <3

Euan T

2012-04-10, 12:54 PM
You don't need to pass it onto anything like write_query. The simple_select method is used for running simple single table queries. If, however, you want to use joins and the like, you have to use the write_query method (or just query, though write_query is now preferred in plugins).
MyBB Community Forums > Community > General Discussion > Web Development and Administration > mysql_real_escape_string not working