mysql_real_escape_string working perfectly in localhost, not working online

Question

On the page http://www.immocorbati.be/tehuur.php the filter functions don't work as they should. Only "Prijsklasse" (price) works. However, if you filter on "Gemeente" (area) Boom for example, it should return 1 home, but it says none are found. Same with "Type" studio should return 3 but doesn't return anything and "Slaapkamer" (bedrooms) 3 slaapkamers should return 1 home, but again none are shown.

What I don't understand is why it works perfectly on localhost , and it works half and half online, because that means the function IS reached. Here are the files. Maybe someone has some pointers as why this happens? Is it possibe that it is database related? But all the other functions in the backend etc. work as they should.

class Pand
{

    //DB settings - Don't worry these are correct
    private $m_sHost = "??????";
    private $m_sUser = "????????";
    private $m_sPassword = "??????";
    private $m_sDatabase = "????????";     

    public function GetToonPandenHuurFilter()
    {
    //de panden worden op pagina getoond volgens filter
            if ($link = mysqli_connect($this->m_sHost, $this->m_sUser, $this->m_sPassword, $this->m_sDatabase))
            {

                    $b = $_POST['typewoning'];
                    $p = $_POST['plaats'];
                    $s = $_POST['slaapkamers'];
                    $k = $_POST['prijsklasse'];


                    $sSql = "select * from tblpand WHERE PandVerkoopstype='Te huur' AND PandOnline='Ja'";
                    if ($b !== 'all') {
                            $sSql .= " AND PandBebouwing='" . mysql_real_escape_string($b) . "'";
                    }                      
                    if ($p !== 'all') {
                            $sSql .= " AND PandPostcodeGemeente='" . mysql_real_escape_string($p) . "'";
                    }
                    if ($s !== 'all') {
                            $sSql .= "AND PandSlaapkamers='" . mysql_real_escape_string($s) . "'";
                    }
                    if ($k == '0') {
                            $sSql .= "";
                    }
                    if ($k == '1') {
                            $sSql .= "AND PandPrijs <'" . 301 . "'";
                    }
                    if ($k == '2') {
                            $sSql .= "AND PandPrijs <'" . 501 . "'";
                    }
                    if ($k == '3') {
                            $sSql .= "AND PandPrijs <'" . 701 . "'";
                    }
                    if ($k == '4') {
                            $sSql .= "AND PandPrijs <'" . 701 . "'";
                    }


                    $rResult = mysqli_query($link, $sSql);
                    return $rResult;
            }
            else
            {
                    // er kon geen connectie gelegd worden met de databank
                    throw new Exception('Ooh my, something terrible happened to the database connection'); 
            }      
            mysqli_close($link);
    }
}

I added error reporting and the feedback says:

mysql_real_escape_string(): Access denied for user ''@'10.246.64.177'
(using password: NO) in /customers/e/a/b/immocorbati.be/httpd.www/classes/Pand.class.php on line 1086

Line 1086 is:

$sSql .= " AND PandBebouwing='" . mysql_real_escape_string($b) . "'";

Answer 1

mysql_real_escape_string requires a database connection to do its work. mysql_real_escape_string belongs to the mysql API. You're establishing a connection using mysqli. mysql and mysqli are two entirely different database APIs; a mysqli connection is useless for mysql_*. mysql has the bad habit of implicitly (trying to) establishing a connection when needed. On your localhost, the implicit connection it's trying to establish happens to work (default username, no password etc.). On your host, it doesn't.

Don't use mysql_real_escape_string when using mysqli. Use mysqli's parameter binding API or at the very least mysqli_real_escape_string .