eMonk Posted September 19, 2011 Share Posted September 19, 2011 $height = trim(htmlentities(mysqli_real_escape_string($db,$_POST['height'],ENT_QUOTES))); Here's the error message I'm getting: Warning: mysqli_real_escape_string() expects exactly 2 parameters, 3 given I just added in the htmlentities and ENT_QUOTES to the line but not sure how to format it. Any ideas? Quote Link to comment https://forums.phpfreaks.com/topic/247470-whats-wrong-with-this-syntax/ Share on other sites More sharing options...
Adam Posted September 19, 2011 Share Posted September 19, 2011 Look at the code, you're passing "ENT_QUOTES" as a parameter to mysql_real_escape_string(). Quote Link to comment https://forums.phpfreaks.com/topic/247470-whats-wrong-with-this-syntax/#findComment-1270826 Share on other sites More sharing options...
eMonk Posted September 20, 2011 Author Share Posted September 20, 2011 I know but how can I do it so it's not? Quote Link to comment https://forums.phpfreaks.com/topic/247470-whats-wrong-with-this-syntax/#findComment-1270839 Share on other sites More sharing options...
Adam Posted September 20, 2011 Share Posted September 20, 2011 $height = trim(htmlentities(mysqli_real_escape_string($db,$_POST['height'],ENT_QUOTES))); $height = trim(htmlentities(mysqli_real_escape_string($db,$_POST['height']), ENT_QUOTES)); There's no need to fit everything onto one line. Split it up, it makes the code more readable: $height = trim($_POST['height']); $height = mysqli_real_escape_string($db, $height); I actually left out htmlentities(), as this is something you should do as you output user input, not prepare it for saving to a database. Quote Link to comment https://forums.phpfreaks.com/topic/247470-whats-wrong-with-this-syntax/#findComment-1270840 Share on other sites More sharing options...
xyph Posted September 20, 2011 Share Posted September 20, 2011 htmlentities() creates ugly HTML anyways. Use htmlspecialchars(). It only converts the values required to prevent injection, and is UTF-8 safe. Quote Link to comment https://forums.phpfreaks.com/topic/247470-whats-wrong-with-this-syntax/#findComment-1270843 Share on other sites More sharing options...
Adam Posted September 20, 2011 Share Posted September 20, 2011 Why "ugly"? I mean, I use htmlspecialchars() myself generally, but htmlentities() just encodes more characters. When escaping user input the idea is you have little to no HTML anyway, so it's not exactly ugly but just more than necessary. Quote Link to comment https://forums.phpfreaks.com/topic/247470-whats-wrong-with-this-syntax/#findComment-1270845 Share on other sites More sharing options...
xyph Posted September 20, 2011 Share Posted September 20, 2011 Ugly is mostly cosmetic in this case. The important reason is not having to deal with character encoding, assuming ISO-8859-1, ISO-8859-15, UTF-8, cp866, cp1251, cp1252, or KOI8-R The following <meta http-equiv="Content-Type" content="text/html;charset=utf-8" > <?php $phrase = "Mon collègue a étudié à <b>l'hôpital</b>. Il est un garçon <i>naïf</i>"; echo 'entities: '. htmlentities( $phrase, ENT_COMPAT, 'UTF-8' ) . "\n"; echo 'specialchars: '. htmlspecialchars( $phrase ); ?> Outputs <meta http-equiv="Content-Type" content="text/html;charset=utf-8" > entities: Mon collègue a étudié à <b>l'hôpital</b>. Il est un garçon <i>naïf</i> specialchars: Mon collègue a étudié à <b>l'hôpital</b>. Il est un garçon <i>naïf</i> Both output the same on the page. You're adding extra parsing, and extra data to send to the client with no advantage. On top of that, you have to specify your character set if you want to use UTF-8. Quote Link to comment https://forums.phpfreaks.com/topic/247470-whats-wrong-with-this-syntax/#findComment-1270850 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.