Alright, as you can't simply switch the database API in a bigger project, I took a closer look at your problem. Still, you should switch to mysqli
or PDO
asap.
The mistake you made was to use mysql_real_escape_string()
in the wrong position. You should use it directly before you send your data to the databse, so it should actually be used inside your update_query()
function.
Let's check the difference between correct and incorrect usage.
How to handle the data
Defining your password.
$password = <<<'PASSWORD'
@:;_-#()\/+.,?!\'"
PASSWORD;
var_dump($password);
// string(18) "@:;_-#()\/+.,?!\'""
Next step: Encoding it to json
! Instead, you escaped your string in this place.
$passwordJSON = json_encode($password);
var_dump($passwordJSON);
// string(24) ""@:;_-#()\\\/+.,?!\\'\"""
// compared to:
$passwordEscaped = mysql_real_escape_string($password);
var_dump($passwordEscaped);
// string(22) "@:;_-#()\\/+.,?!\\\'\""
Then comes the time to escape it for the database. But here you used json_encode()
, too late.
$passwordJSONEscaped = mysql_real_escape_string($passwordJSON);
var_dump($passwordJSONEscaped);
//string(34) "\"@:;_-#()\\\\\\/+.,?!\\\\\'\\\"\""
// compared to
$passwordEscapedJSON = json_encode($passwordEscaped);
var_dump($passwordEscapedJSON);
// string(32) ""@:;_-#()\\\\\/+.,?!\\\\\\'\\\"""
The result
$resultCorrectWay = mysql_query("INSERT INTO passwordtest (password) VALUES ('$passwordJSONEscaped')");
var_dump($resultCorrectWay);
// bool(true)
// vs
$resultWrongWay = mysql_query("INSERT INTO passwordtest (password) VALUES ('$passwordEscapedJSON')");
var_dump($resultWrongWay);
// bool(false)
Conclusion
By using json_encode()
AFTER you already escaped your string, you added new entities which would have to be escaped for your query to work.
Do it in the correct order, then the database can handle your statement.
The whole thing for trying it at home
<?php
ini_set('display_errors', 1);
error_reporting(-1);
mysql_connect('localhost', 'user', 'password');
mysql_select_db('test');
echo '<pre>';
$password = <<<'PASSWORD'
@:;_-#()\/+.,?!\'"
PASSWORD;
var_dump($password);
// string(18) "@:;_-#()\/+.,?!\'""
$passwordJSON = json_encode($password);
var_dump($passwordJSON);
// string(24) ""@:;_-#()\\\/+.,?!\\'\"""
$passwordJSONEscaped = mysql_real_escape_string($passwordJSON);
var_dump($passwordJSONEscaped);
//string(34) "\"@:;_-#()\\\\\\/+.,?!\\\\\'\\\"\""
$resultCorrectWay = mysql_query("INSERT INTO passwordtest (password) VALUES ('$passwordJSONEscaped')");
var_dump($resultCorrectWay);
// bool(true)
$passwordEscaped = mysql_real_escape_string($password);
var_dump($passwordEscaped);
// string(22) "@:;_-#()\\/+.,?!\\\'\""
$passwordEscapedJSON = json_encode($passwordEscaped);
var_dump($passwordEscapedJSON);
// string(32) ""@:;_-#()\\\\\/+.,?!\\\\\\'\\\"""
$resultWrongWay = mysql_query("INSERT INTO passwordtest (password) VALUES ('$passwordEscapedJSON')");
var_dump($resultWrongWay);
// bool(false)
edit: when not json encoding
var_dump($password);
// string(18) "@:;_-#()\/+.,?!\'""
mysql_query("INSERT INTO passwordtest (password) VALUES ('" . mysql_real_escape_string($password) . "')");
Value in the database:
@:;_-#()\/+.,?!\'"