On Thu, September 28, 2006 10:06 am, tedd wrote: > In one of my snip-its, namely: > > http://xn--ovg.com/pdf > > I was generating a pdf document after the user filled in a form. I > had been cleaning the user input by using -- > > $name = mysql_real_escape_string($name); > > -- even though I wasn't using MySQL (the code was a cut-paste from > some other code I had).
But you *WERE* using MySQL! > However, everything worked! > > But, a couple of days ago it suddenly stopped working. Now, I get the > following error: > > Warning: mysql_real_escape_string(): Access denied for user > 'nobody'@'localhost' (using password: NO) in ... One of two things happened. Some auto-connect script is no longer running, or the 'nobody' user in MySQL got nuked. Cuz you used to be connected to MySQL, and it was using MySQL database information to do the escaping. > When I comment-out the offending statement, it runs. I replaced the > statement, but wonder what happened -- when did using > mysql_real_escape_string() require a password? mysql_real_escape_string talks back to MySQL to ask it what character encoding you are using, so it knows how to correctly escape multi-byte/unicode/funky characters for MySQL usage. Take out the "_real" bit, and it's doing a "fake" version that ignores multibyte/unicode/funky characters. So, short term, just delete '_real' from your function call, and it will act exactly like before, except with the caveat that any unicode/multibyte/funky characters may not be escaped the same way as they were. > What's up with that? Any ideas as to what happened? One also has to ask WHY you would use MySQL's escaping for data that's not going into MySQL. That's almost certainly "wrong" Though I confess, I'm sometimes at a loss how to properly escape certain data for certain situations... Here's an example: Take the Subject of an email. Sure, I've sanitized it to be sure there are no newlines for header injection. But now how do I properly escape it to be sure it's a kosher email subject? Where's the PHP function smtp_escape()? I'm just passing it on from one user to another. I don't want to munge it, nor make any assumptions about its format. It's just "data" to me. But to SMTP, there are bound to be all kinds of "rules" about it that I have no desire, much less time, to research, code, and test in as thorough a fashion as I should to be Professional. And every developer who sends an email with PHP needs this, right? So of the myriad PHP functions available, which one is the right one to escape an email Subject. I'm *NOT* asking for an answer to this specific question about email Subjects! I'm looking for a guide, a chart, a grid, an organized systemic documentation of what data should be escaped how as it travels through the "glue" that is PHP... -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
