I have written this code in my config file (included everywhere) to avoid sql injection
Code: Select all
$_POST = array_map("mysql_escape",$_POST);Code: Select all
function mysql_escape($input)
{
global $conn;
return mysqli_real_escape_string($conn,$input);
}Code: Select all
<input id="photoUpload" type="file" name="TourPhoto[]" value='1' multiple accept="image/*">Warning: mysqli_real_escape_string() expects parameter 2 to be string, array given in C:\xampp\htdocs\project\functions.php on line 6
Although the script works, file is uploaded
If I change "TourPhoto[]" to "TourPhoto", the warning disappears; but I need to input multiple files and I'd like to know where I am wrong?
Thanks in advance for your help