Page 1 of 1

problem w/ mysql_real_escape_string()

Posted: Sat Feb 26, 2011 12:29 pm
by someguyhere
Is there any reason that this should just add mysql_real_escape_string() into the database rather than the actual values?

Code: Select all

	$mysqli->query("INSERT INTO wp_network_members (level, headshot, logo, website, phone, l_name, f_name, title, company, company_desc, address_1, address_2, city, state, zip, designation, service_category, keywords) VALUES ('0', 'mysql_real_escape_string($_POST[headshot])', 'mysql_real_escape_string($_POST[logo])', 'mysql_real_escape_string($_POST[website])', 'mysql_real_escape_string($_POST[phone])', '$l_name', '$f_name', 'mysql_real_escape_string($_POST[title])', 'mysql_real_escape_string($_POST[company])', '$company_desc', 'mysql_real_escape_string($_POST[address_1])', 'mysql_real_escape_string($_POST[address_2])', 'mysql_real_escape_string($_POST[city])', 'mysql_real_escape_string($_POST[state])', '$_POST[zip]', '$_POST[designation]', '$_POST[service_category]', '$_POST[keywords]')");

Re: problem w/ mysql_real_escape_string()

Posted: Sat Feb 26, 2011 12:35 pm
by DigitalMind
Why not to use mysql_prepare()?
http://ua.php.net/manual/en/mysqli.prepare.php

Re: problem w/ mysql_real_escape_string()

Posted: Sat Feb 26, 2011 12:55 pm
by cpetercarter
If you are using mysqli for your database connection, you should use mysqli_real_escape_string().

Also, although you can often get away with not placing quotation marks around offset names ($_POST[logo]), this can have unexpected effects. $_POST['logo'] is better practice.

Finally, the single quotation marks make mysql think that you want to insert eg "mysql_real_escape_string($_POST[logo])" into the database as a string. The best thing to do is to escape your $_POST values before putting them into the query, like this:

Code: Select all

$logo = mysqli->real_escape_string($_POST['logo']);
// etc
$query = "INSERT INTO ......VALUES ('0', '$headshot', '$logo',......)";
// etc

Re: problem w/ mysql_real_escape_string()

Posted: Sat Feb 26, 2011 1:35 pm
by someguyhere
Ok, then here is my new code:

Code: Select all

	$headshot = mysqli->real_escape_string($_POST['headshot']);
	$logo = mysqli->real_escape_string($_POST['logo']);
	$website = mysqli->real_escape_string($_POST['website']);
	$phone = mysqli->real_escape_string($_POST['phone']);
	$l_name = str_replace("-", "", ucwords(mysqli->real_escape_string($_POST['l_name'])));
	$f_name = ucwords(mysqli->real_escape_string($_POST['f_name']));
	$title = mysqli->real_escape_string($_POST['title']);
	$company = mysqli->real_escape_string($_POST['company']);
	$company_desc = mysqli->real_escape_string($_POST['company_desc']);
	$address_1 = mysqli->real_escape_string($_POST['address_1']);
	$address_2 = mysqli->real_escape_string($_POST['address_2']);
	$city = mysqli->real_escape_string($_POST['city']);
	$state = mysqli->real_escape_string($_POST['state']);
	$zip = mysqli->real_escape_string($_POST['zip']);
	$designation = mysqli->real_escape_string($_POST['designation']);
	$service_category = mysqli->real_escape_string($_POST['service_category']);
	$keywords = mysqli->real_escape_string($_POST['keywords']);

	$company_desc = strip_tags(addparagraphs($company_desc), '<p><br/><br><b><i><ol><ul><li>');

	$mysqli = new mysqli("localhost", "xxxxx", "xxxxx", "xxxxx");
	$mysqli->query("INSERT INTO wp_network_members (level, headshot, logo, website, phone, l_name, f_name, title, company, company_desc, address_1, address_2, city, state, zip, designation, service_category, keywords) VALUES ('0', '$headshot', '$logo', '$website', '$phone', '$l_name', '$f_name', '$title', '$company', '$company_desc', '$address_1', '$address_2', '$city', '$state', '$zip', '$designation', '$service_category', '$keywords')");
Which gives me the following error:

Parse error: syntax error, unexpected T_OBJECT_OPERATOR in /home/efarrell/public_html/wp-content/plugins/wp-members-pages/members_page.php on line 52

Line 52 is the first line in the code I posted ($headshot = ...). Any idea what I'm doing wrong here?

Re: problem w/ mysql_real_escape_string()

Posted: Sat Feb 26, 2011 2:04 pm
by cpetercarter
Yes, my bad. Should be mysqli_real_escape_string().

Re: problem w/ mysql_real_escape_string()

Posted: Sat Feb 26, 2011 2:26 pm
by someguyhere
I had assumed that might be the case, so I tried it before posting.

Here's what I get with that:

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/efarrell/public_html/wp-content/plugins/wp-members-pages/members_page.php on line 52

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/efarrell/public_html/wp-content/plugins/wp-members-pages/members_page.php on line 53

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/efarrell/public_html/wp-content/plugins/wp-members-pages/members_page.php on line 54

...

Re: problem w/ mysql_real_escape_string()

Posted: Sat Feb 26, 2011 2:42 pm
by cpetercarter
Have a look at the php manual section on mysqli_real_escape_string(). The first parameter needs to be the identifier of the mysqli link. For example, if you started mysqli with:

Code: Select all

$db = mysqli_connect($host, $username, $password);
then the first parameter in mysqli_real_escape_string() needs to be $db. So:

Code: Select all

$logo = mysqli_real_escape_string($db, $_POST['logo']);
Sorry about the confusion - I have previously used mysqli only in OO style, not in procedural style.