Jump to content

mysql_real_escape_string() will not stop throwing errors!


Recommended Posts

I have never had to use this function before, but it was recommended to improve the security of my script. I have tried implementing mysql_real_escape_string() in every way I thought possible, but I keep getting random php errors.

 

I am simply trying to sanitize the data from my query (as shown below)... Where would you recommend I call the function and what variable should I store in it?

 

$posts_by_city_sql = "SELECT id, city_id, title FROM postings WHERE city_id='$_GET[id]'";
$posts_by_city_results = (mysqli_query($cxn, $posts_by_city_sql)) or die("Was not able to grab the Postings!");

//$title = $_GET['title'];
// mysql_real_escape_string($title);

while($posts_by_city_row = mysqli_fetch_array($posts_by_city_results)) {
	echo "<li><a href='posting_details.php?id=$posts_by_city_row[id]'>$posts_by_city_row[title]</a></li>";
}

it would help if you showed us HOW you were trying to use it...basically it's just a normal function where you pass the string to it and it returns the escaped string.  Main thing about it is that you have to have a db connection open first, in order to use it, because it relies on settings in your db to properly escape stuff.  But in general, you would use it as such:

 

// connect to your db somewhere before this...

$id = mysqli_real_escape_string($_GET['id']);
$posts_by_city_sql = "SELECT id, city_id, title FROM postings WHERE city_id='$id'";
$posts_by_city_results = (mysqli_query($cxn, $posts_by_city_sql)) or die("Was not able to grab the Postings!");

//$title = $_GET['title'];
// mysql_real_escape_string($title);

while($posts_by_city_row = mysqli_fetch_array($posts_by_city_results)) {
echo "<li><a href='posting_details.php?id=$posts_by_city_row[id]'>$posts_by_city_row[title]</a></li>";
}

Thanks for both tips. I believe the problem was I did not know there was a mysqli function for this feature cause I don't think you can mix and match mysql and mysqli functions w/out trouble. I was using the mysql.. version, and that's what was throwing the interpreter off. SOLVED!

And just as a side note. Not sure about the mysql statements, but the mysqli requires 2 arguments for it to work properly like:

 

 

 


$cxn = mysqli_connect($host, $user, $pass, $db) or die("Could not connect to the server.");

$id = mysqli_real_escape_string($cxn,$_GET['id']);

$posts_by_city_sql = "SELECT id, city_id, title FROM postings WHERE city_id='" . $id . "'";
$posts_by_city_results = (mysqli_query($cxn, $posts_by_city_sql)) or die("Was not able to grab the Postings!");

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.