thebarless
thebarless

Reputation: 472

mysqli_real_escape_string not working

I just learned I had magic_quotes_gpc on (much to my chagrin). I turned that off.

My database connection is made prior to this query. I have the following:

$subject = mysqli_real_escape_string($link, $_POST["subject"]);
$body = mysqli_real_escape_string($link, $_POST["body"]);
$id = mysqli_real_escape_string($link, $_POST["id"]);


mysqli_query($link, "UPDATE press SET press_title = '$subject', press_release = '$body' WHERE press_id = '$id'") or die( mysqli_error($link) );

With magic quotes on, this works fine. Once I turn it off, single quotes jam up the works (with a MySQL syntax error at the quote). I thought I understood the concept but I must be missing something. Can someone explain what I'm doing wrong?

UPDATE

Error spit out by MySQL: you have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's what she said' at line 1

UPDATE #2 Here's the echo'd query:

UPDATE press SET press_title = \'That\'s what she said\', press_release = \'That\'s what she said again!\' WHERE press_id = \'513\'

Upvotes: 0

Views: 1703

Answers (1)

Barmar
Barmar

Reputation: 782594

Use a parametrized query:

$stmt = mysqli_prepare($link, "UPDATE press SET press_title = ?, press_release = ? WHERE press_id = ?") or die (mysqli_error($link)); 
mysqli_stmt_bind_param($stmt, "ssi", $_POST['subject'], $_POST['body'], $_POST['id']);
mysqli_stmt_execute($stmt);

Manual

Upvotes: 1

Related Questions