Issue with mysql_real_escape_string()

Question

I began learning to code a few days ago and I am having some issues with mysql_real_escape_string, specifically with a login.php.

The error messages:

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'elegant'@'localhost' (using password: NO) in /home/elegant/public_html/php/login.php on line 3

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the     server could not be established in /home/elegant/public_html/php/login.php on line 3

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'elegant'@'localhost' (using password: NO) in /home/elegant/public_html/php/login.php on line 4

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/elegant/public_html/php/login.php on line 4
Please enter a username and a password

Here is the code I have so far -- this code worked in localhost but once I put it online and imported the database tables, it gave me some issues:

<?php

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

if ($username&&$password)

{

$connect = mysql_connect("localhost","elegant_root","password;1") or die("Couldn't             connect!");
mysql_select_db("elegant_ezworkstation") or die("Couldn't find database");

$query = mysql_query("SELECT * FROM users WHERE username=$username");

$numrows = mysql_numrows($query);

if ($numrows!=0)
{

while ($row = mysql_fetch_assoc($query))
{

    $dbusername = $row['username'];
    $dbpassword = $row['password'];

}

if ($username==$dbusername&&$password==$dbpassword)
{

    echo "You're in";

}
else
    echo "Incorrect password!";

}
else
die("That user doesn't exist");

}

else
die("Please enter a username and a password");

?>

EDIT: I changed to mysqli and I got these errors:

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/elegant/public_html/php/login.php on line 3

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/elegant/public_html/php/login.php on line 4

Answer 1

Putting mysql_real_escape_string() after you connect to the db will work fine.

However, you should shift to mysqli or PDO. MySQL is deprecated now. A few links to help you out

1. Moving from mysql to mysqli or pdo?
2. mysqli or PDO - what are the pros and cons?

The equivalent commands in mysqli and PDO for escaping would be mysqli_real_escape_string() and PDO::quote() respectively.

As people are pointing out, PDO is definitely the better alternative. Here is an answer I previously wrote comparing PDO with others.

PDO - real facts and best practice?

And another advantage of this will be that you don't need to use escaping functions if you use prepared statements with named parameters.