ibuprofen Posted December 14, 2008 Share Posted December 14, 2008 I've seen lots of tutorials on the mysqli_real_escape_string(), but they all assume you're inputting directly from a form to the database using the $_POST method. On my site I'm displaying the user input on a verification page before submitting it. After the user proofs the input, they hit "Submit" and it goes to a confirmation page. The confirmation page connects to the database like this: { $updateScript = 'ttp'; include ('file:///Library/WebServer/Documents/connectScript/updateScripts.php'); } Here is the query used to add the record from the "updateScripts.php" document: $host = "REMOVED"; $user = "REMOVED"; $password = "REMOVED"; $database = "materials"; $cxn = mysqli_connect($host,$user,$password,$database) or die ("Cannot connect to $database, see system administrator."); if ($updateScript == 'ttp') { $query = "UPDATE thermal_transfer_paper SET category='TTP', material='$_GET[var14]', supplier='$_GET[var15]',supplierItemNo='$_GET[var1]',pricingClass='$_GET[var16]', msi_to_49='$_GET[var2]',msi_to_49c='$_GET[var3]',msi_over_49='$_GET[var4]', msi_over_49c='$_GET[var5]',description='$_GET[var6]',notes='$_GET[var7]',matThick='$_GET[var8]', linerThick='$_GET[var9]',unit='$_GET[var13]',linerType='$_GET[var17]',needsRetool='$_GET[var11]', baseMat='$_GET[var10]',ULComp='$_GET[var12]', matUnit='$_GET[var25]' WHERE supplierItemNo = '$whichRecord'"; $result = mysqli_query($cxn,$query) or die ("Could not execute query, see system administrator."); } Where do I use the mysqli_real_escape_string? I've tried several ways but I always get errors. Thomas Link to comment https://forums.phpfreaks.com/topic/136879-mysqli_real_escape_string-problems/ Share on other sites More sharing options...
peranha Posted December 14, 2008 Share Posted December 14, 2008 In here if ($updateScript == 'ttp') { $var14 = mysql_real_escape_string($_GET['var14']); $query = "UPDATE thermal_transfer_paper SET category='TTP', material='$var14', along those lines. Link to comment https://forums.phpfreaks.com/topic/136879-mysqli_real_escape_string-problems/#findComment-714901 Share on other sites More sharing options...
ibuprofen Posted December 14, 2008 Author Share Posted December 14, 2008 I added the line in blue to the database connect script and I don't have a problem with apostrophes anymore, but I still can't use double quotes or other special characters. Drat. BTW: I have Magic Quotes turned off. $host = "REMOVED"; $user = "REMOVED"; $password = "REMOVED"; $database = "materials"; $cxn = mysqli_connect($host,$user,$password,$database) or die ("Cannot connect to $database, see system administrator."); $var36 = mysqli_real_escape_string($cxn, trim($_GET['var6'])); if ($updateScript == 'ttp') { $query = "UPDATE thermal_transfer_paper SET category='TTP', material='$var36', WHERE supplierItemNo = '$whichRecord'"; $result = mysqli_query($cxn,$query) or die ("Could not execute query, see system administrator."); } Thanks for the pointer, Thomas Link to comment https://forums.phpfreaks.com/topic/136879-mysqli_real_escape_string-problems/#findComment-714957 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.