Reputation: 117
mysqli real escape string issues
How can I use mysqli_real_escape_string in my script to prevent SQL injection. I was working on some code and asking some questions here and I was advised to use mysqli_real_escape_string instead of mysql_real_escape_string, the problem is my code does not make a connection until after the variables I want to secure. It was suggested that I should used prepared statements instead but after some searching http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php I feel more confused. Right now the code if doing exactly what it is not supposed to do, it is inserting empty values/rows into my table, which from my reading is probably because of the use of mysqli_real_escaape_string
Any thoughts or help is appreciated, I am so frustrated and confused but still trying to learn. Here is the code:
<?php
//Form fields passed to variables
$manu = mysqli_real_escape_string($_POST['inputManu']);
$model = mysqli_real_escape_string($_POST['inputModel']);
$desc = mysqli_real_escape_string($_POST['inputDesc']);
//Connect to database using $conn
include ('connection.php');
//Insert record into table
$sql = "INSERT INTO gear (`id`,`manu`,`model`,`desc`)
VALUES (NULL,'$manu','$model','$desc')";
//Check for empty fields
if (isset($_POST['submit']))
{
foreach($_POST as $val)
{
if(trim($val) == '' || empty($val))
{
die('Error: ' . mysqli_error());
echo "Please complete all form fields!";
echo "<meta http-equiv='Refresh' content='3; URL=../add.php'>";
}
}
if (!mysqli_query($conn,$sql))
{
die('Error: ' . mysqli_error($conn));
}
else
{
//echo "1 record added";
echo "Success, You added the ".$manu." ".$model."";
echo "<meta http-equiv='Refresh' content='3; URL=../index.php'>";
}
}
else
{
echo "some error";
}
mysqli_close($conn);
?>
Upvotes: 3
Views: 5215
Answers (2)
Reputation: 1150
Hope Below code will help you.
<?php
//Connect to database using $conn
/*in connection.php
$link = mysqli_connect("localhost", "root", "", "test");
*/
include ('connection.php');
//Check for empty fields
if (isset($_POST['submit']))
{
//Form fields passed to variables
$manu = mysqli_real_escape_string($link,$_POST['inputManu']);
$model = mysqli_real_escape_string($link,$_POST['inputModel']);
$desc = mysqli_real_escape_string($link,$_POST['inputDesc']);
if($manu!='' && $model!="" && $desc!="")
{
//Insert record into table
$sql = "INSERT INTO gear (`id`,`manu`,`model`,`desc`)
VALUES (NULL,'$manu','$model','$desc')";
$r=mysqli_query($link,$sql) ;
//echo "1 record added";
if($r)
{
echo "Success, You added the ".$manu." ".$model."";
// echo "<meta http-equiv='Refresh' content='3; URL=../index.php'>";
}
}
else
{
echo "Please complete all form fields!";
}
}
?>
Upvotes: 0
Reputation: 4897
<?php
//Connect to database using $conn
include ('connection.php');
//Form fields passed to variables
$manu = mysqli_real_escape_string($conn, $_POST['inputManu']);
$model = mysqli_real_escape_string($conn, $_POST['inputModel']);
$desc = mysqli_real_escape_string($conn, $_POST['inputDesc']);
Upvotes: 6
Related Questions
- mysqli_real_escape_string not working properly
- Problem with mysqli_real_escape_string (and magic quotes is off)
- PHP:Mysqli_real_escape_string
- mysqli_real_escape_string not working
- PHP mysqli_real_escape_string argument
- How to properly use mysqli_real_escape_string
- mysqli_real_escape_string not escaping anything
- mysqli_real_escape_string() isn't functioning properly
- mySQLI - problem with mysqli_real_escape_string
- PHP mysqli_real_escape_string problems