Jump to content

mysql_real_escape_string() will not stop throwing errors!

OldWest

By OldWest
in PHP Coding Help

Recommended Posts

OldWest Regular Member

OldWest

Posted
Posted

I have never had to use this function before, but it was recommended to improve the security of my script. I have tried implementing mysql_real_escape_string() in every way I thought possible, but I keep getting random php errors.

 

I am simply trying to sanitize the data from my query (as shown below)... Where would you recommend I call the function and what variable should I store in it?

 

$posts_by_city_sql = "SELECT id, city_id, title FROM postings WHERE city_id='$_GET[id]'";
$posts_by_city_results = (mysqli_query($cxn, $posts_by_city_sql)) or die("Was not able to grab the Postings!");

//$title = $_GET['title'];
// mysql_real_escape_string($title);

while($posts_by_city_row = mysqli_fetch_array($posts_by_city_results)) {
	echo "<li><a href='posting_details.php?id=$posts_by_city_row[id]'>$posts_by_city_row[title]</a></li>";
}

.josh Advanced Member

.josh

Posted
Posted

it would help if you showed us HOW you were trying to use it...basically it's just a normal function where you pass the string to it and it returns the escaped string.  Main thing about it is that you have to have a db connection open first, in order to use it, because it relies on settings in your db to properly escape stuff.  But in general, you would use it as such:

 

// connect to your db somewhere before this...

$id = mysqli_real_escape_string($_GET['id']);
$posts_by_city_sql = "SELECT id, city_id, title FROM postings WHERE city_id='$id'";
$posts_by_city_results = (mysqli_query($cxn, $posts_by_city_sql)) or die("Was not able to grab the Postings!");

//$title = $_GET['title'];
// mysql_real_escape_string($title);

while($posts_by_city_row = mysqli_fetch_array($posts_by_city_results)) {
echo "<li><a href='posting_details.php?id=$posts_by_city_row[id]'>$posts_by_city_row[title]</a></li>";
}

OldWest Regular Member

OldWest

Posted
  • Author
Posted

Thanks for both tips. I believe the problem was I did not know there was a mysqli function for this feature cause I don't think you can mix and match mysql and mysqli functions w/out trouble. I was using the mysql.. version, and that's what was throwing the interpreter off. SOLVED!

OldWest Regular Member

OldWest

Posted
  • Author
Posted

And just as a side note. Not sure about the mysql statements, but the mysqli requires 2 arguments for it to work properly like:

 

 

 


$cxn = mysqli_connect($host, $user, $pass, $db) or die("Could not connect to the server.");

$id = mysqli_real_escape_string($cxn,$_GET['id']);

$posts_by_city_sql = "SELECT id, city_id, title FROM postings WHERE city_id='" . $id . "'";
$posts_by_city_results = (mysqli_query($cxn, $posts_by_city_sql)) or die("Was not able to grab the Postings!");

 

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.