Page 1 of 1
problem w/ mysql_real_escape_string()
Posted: Sat Feb 26, 2011 12:29 pm
by someguyhere
Is there any reason that this should just add mysql_real_escape_string() into the database rather than the actual values?
Code: Select all
$mysqli->query("INSERT INTO wp_network_members (level, headshot, logo, website, phone, l_name, f_name, title, company, company_desc, address_1, address_2, city, state, zip, designation, service_category, keywords) VALUES ('0', 'mysql_real_escape_string($_POST[headshot])', 'mysql_real_escape_string($_POST[logo])', 'mysql_real_escape_string($_POST[website])', 'mysql_real_escape_string($_POST[phone])', '$l_name', '$f_name', 'mysql_real_escape_string($_POST[title])', 'mysql_real_escape_string($_POST[company])', '$company_desc', 'mysql_real_escape_string($_POST[address_1])', 'mysql_real_escape_string($_POST[address_2])', 'mysql_real_escape_string($_POST[city])', 'mysql_real_escape_string($_POST[state])', '$_POST[zip]', '$_POST[designation]', '$_POST[service_category]', '$_POST[keywords]')");
Re: problem w/ mysql_real_escape_string()
Posted: Sat Feb 26, 2011 12:35 pm
by DigitalMind
Re: problem w/ mysql_real_escape_string()
Posted: Sat Feb 26, 2011 12:55 pm
by cpetercarter
If you are using mysqli for your database connection, you should use mysqli_real_escape_string().
Also, although you can often get away with not placing quotation marks around offset names ($_POST[logo]), this can have unexpected effects. $_POST['logo'] is better practice.
Finally, the single quotation marks make mysql think that you want to insert eg "mysql_real_escape_string($_POST[logo])" into the database as a string. The best thing to do is to escape your $_POST values before putting them into the query, like this:
Code: Select all
$logo = mysqli->real_escape_string($_POST['logo']);
// etc
$query = "INSERT INTO ......VALUES ('0', '$headshot', '$logo',......)";
// etc
Re: problem w/ mysql_real_escape_string()
Posted: Sat Feb 26, 2011 1:35 pm
by someguyhere
Ok, then here is my new code:
Code: Select all
$headshot = mysqli->real_escape_string($_POST['headshot']);
$logo = mysqli->real_escape_string($_POST['logo']);
$website = mysqli->real_escape_string($_POST['website']);
$phone = mysqli->real_escape_string($_POST['phone']);
$l_name = str_replace("-", "", ucwords(mysqli->real_escape_string($_POST['l_name'])));
$f_name = ucwords(mysqli->real_escape_string($_POST['f_name']));
$title = mysqli->real_escape_string($_POST['title']);
$company = mysqli->real_escape_string($_POST['company']);
$company_desc = mysqli->real_escape_string($_POST['company_desc']);
$address_1 = mysqli->real_escape_string($_POST['address_1']);
$address_2 = mysqli->real_escape_string($_POST['address_2']);
$city = mysqli->real_escape_string($_POST['city']);
$state = mysqli->real_escape_string($_POST['state']);
$zip = mysqli->real_escape_string($_POST['zip']);
$designation = mysqli->real_escape_string($_POST['designation']);
$service_category = mysqli->real_escape_string($_POST['service_category']);
$keywords = mysqli->real_escape_string($_POST['keywords']);
$company_desc = strip_tags(addparagraphs($company_desc), '<p><br/><br><b><i><ol><ul><li>');
$mysqli = new mysqli("localhost", "xxxxx", "xxxxx", "xxxxx");
$mysqli->query("INSERT INTO wp_network_members (level, headshot, logo, website, phone, l_name, f_name, title, company, company_desc, address_1, address_2, city, state, zip, designation, service_category, keywords) VALUES ('0', '$headshot', '$logo', '$website', '$phone', '$l_name', '$f_name', '$title', '$company', '$company_desc', '$address_1', '$address_2', '$city', '$state', '$zip', '$designation', '$service_category', '$keywords')");
Which gives me the following error:
Parse error: syntax error, unexpected T_OBJECT_OPERATOR in /home/efarrell/public_html/wp-content/plugins/wp-members-pages/members_page.php on line 52
Line 52 is the first line in the code I posted ($headshot = ...). Any idea what I'm doing wrong here?
Re: problem w/ mysql_real_escape_string()
Posted: Sat Feb 26, 2011 2:04 pm
by cpetercarter
Yes, my bad. Should be mysqli_real_escape_string().
Re: problem w/ mysql_real_escape_string()
Posted: Sat Feb 26, 2011 2:26 pm
by someguyhere
I had assumed that might be the case, so I tried it before posting.
Here's what I get with that:
Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/efarrell/public_html/wp-content/plugins/wp-members-pages/members_page.php on line 52
Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/efarrell/public_html/wp-content/plugins/wp-members-pages/members_page.php on line 53
Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/efarrell/public_html/wp-content/plugins/wp-members-pages/members_page.php on line 54
...
Re: problem w/ mysql_real_escape_string()
Posted: Sat Feb 26, 2011 2:42 pm
by cpetercarter
Have a look at the php manual section on
mysqli_real_escape_string(). The first parameter needs to be the identifier of the mysqli link. For example, if you started mysqli with:
Code: Select all
$db = mysqli_connect($host, $username, $password);
then the first parameter in mysqli_real_escape_string() needs to be $db. So:
Code: Select all
$logo = mysqli_real_escape_string($db, $_POST['logo']);
Sorry about the confusion - I have previously used mysqli only in OO style, not in procedural style.