Page 1 of 1

Error using mysqli_real_escape_string

Posted: Sat Nov 05, 2016 8:41 am
by tcarp
Novice with PHP. Cleaning up some old code that started failing recently. One sweep is to convert to mySQLi. In testing the code I'm getting an real escape string error indicating it expects the first parameter to be mysqli.

I studied the documentation, it seems to show it both ways (i.e. mysqli, and the connection variable).

Code: Select all

$theValue = mysqli_real_escape_string($atlas, $theValue);
$atlas is the connection.

It may turn out I don't need the statement at all. If I understand the readings, this is used mostly for user input (partly for security and partly just to let them no worry too much about special characters they may use. I'm the user so don't use a bunch of specials for some db text fields.

I ran across this post while researching. I haven't gone through it in detail yet, but my first past says it is a different approach with using mySQLi.

http://stackoverflow.com/questions/2173 ... -string-gi

Why am I getting the error and should I follow a completely different approach to making sure text input is not ambiguous?

Re: Error using mysqli_real_escape_string

Posted: Sat Nov 05, 2016 10:54 am
by Christopher
tcarp wrote:I studied the documentation, it seems to show it both ways (i.e. mysqli, and the connection variable).

Code: Select all

$theValue = mysqli_real_escape_string($atlas, $theValue);
Mysqli has two interface: procedural and OO. The procedural functions, like you show above, require that the connection is passed as the first parameter. When using the OO interface, the connection is set on initialization and held within the object -- so no parameter is needed.

So from the documentation it is either:

Code: Select all

$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
$str = $mysqli->real_escape_string ($str);
// or
$link = mysqli_connect("localhost", "my_user", "my_password", "world");
$str = mysqli_real_escape_string ($link, $str);
Note that this is a good example of the benefits of OO. In this case encapsulation of the connection link so that it does not need to be passed to every function, thereby reducing errors like your.

Re: Error using mysqli_real_escape_string

Posted: Sat Nov 05, 2016 11:23 am
by tcarp
The code starts by making the connection

Code: Select all

require_once('Connections/atlas.php');
$atlas is the connection variable.

So, this is the statement:

Code: Select all

$theValue = mysqli_real_escape_string($atlas, $theValue);
Not sure I see what I'm doing wrong with the procedural statement.

BTW, thanks for the OO nudge. Next update.

Re: Error using mysqli_real_escape_string

Posted: Sat Nov 05, 2016 11:53 am
by Christopher
My guess is that you are not actually getting a successful connection, so $atlas is false or something.

Re: Error using mysqli_real_escape_string

Posted: Sat Nov 05, 2016 10:08 pm
by tcarp
Thanks, but I don't think that's it.

This is the common connection code that should have thrown an error if it failed. It's require_once for a couple php pages. The others are working.

Code: Select all

$atlas = mysqli_connect($hostname_atlas, $username_atlas, $password_atlas, $database_atlas); 
if (mysqli_connect_errno())
	{
	echo "Failed to connect to Atlas MySQL db: " . mysqli_connect_error();
	}
Finding out why the error exists is one thing, but as I go back over the code, I'm starting to wonder if I need the escape function at all.

Am I correct that where the real_escape_string function is used is when users are entering data? From what I've read, it removes ambiguity, and, apparently, is important for security.

The field I'm passing through the function is not user entered in the sense of a form field.

I'm probably going to remove it, but would like to understand it since there are other applications where users to enter data.

Re: Error using mysqli_real_escape_string

Posted: Sun Nov 06, 2016 3:22 pm
by Christopher
You can do print_r($atlas) to see what is actually in that variable.