CODEWITHSUNDEEP
phparraysmysqliforeach
user1419018
user1419018

Reputation:

mysqli_real_escape_string foreach function db_array_update

Someone wrote a PHP program many times ago for me, and now I got this error when I run the code :

mysqli_real_escape_string() expects parameter 2 to be string, array given in....

I cannot fix this here is the code :

function db_array_update($table, $a, $where) 
{    
    $q = "update $table set ";
    $b = NULL;  

    foreach($a as $key => $value)   
    {   
        if (is_int($key))
            continue;   

        $con = mysqli_connect("localhost", MYSQLUSER , MYSQLPASS, MYSQLDB);
        $b[] = "$key='".mysqli_real_escape_string($con, $value)."'";        
    }

    $q .= implode(",", $b);
    $q .= " where ".$where;

    db_query($q);

}

and I use it like this :

db_array_update("all_data",array('last_fetched' =>date("Y/m/d H:i:s"),'name'=>$name, 'creation'=>$creat, 'expiration' =>$expire,"id=".$res['id']);

Can someone help me how should I fix this ? Tried many things but not work...

Upvotes: 1

Views: 282

Answers (2)

Markus AO
Markus AO

Reputation: 4889

What's being passed into your function as $a must have one or more array values that are arrays themselves. You will get this error if $value is an array, ie. you have a multi-dimensional array instead of simple key/string pairs.

Do var_dump($a) inside your function to see which one of your array values is an array. Also, you have some goofs in the data you pass in:

db_array_update("all_data",array(
    'last_fetched' => date("Y/m/d H:i:s"),
    'name'=>$name,  // May be an array?
    'creation'=>$creat,  // May be an array?
    'expiration' =>$expire, // May be an array?
    ), // Need this closing ) to end the array.
    "id=".$res['id'] // This one should be outside the array!
    );

Also you need to close the array before the 'id=' bit that you're passing in for the $where condition, you have unclosed parentheses there.

...Really though, your code is full of funnies outside this issue. Study the answers here. If this is a representative specimen of the code, someone should rewrite your database functionality.

Upvotes: 1

Norbert
Norbert

Reputation: 6084

The use of the mysqli is done wrong. The whole benefit of mysqli has been reduced to about zero. See http://php.net/manual/en/book.mysqli.php for examples.

To correct a part of the code:

  • Connection was opened many times: Really inefficient.
  • escape is not required when adding data into the database the correct way: No use of variable binding=> Very weak protection against SQL injection.

The code after these possible corrections:

function db_array_update($table, $a, $where) 
{    
$q = "update $table set";
$b = NULL; 
$c=null; 

$con = mysqli_connect("localhost", MYSQLUSER , MYSQLPASS, MYSQLDB);
foreach($a as $key => $value)   
{   
    if (is_int($key))
        continue;   

    $b[]="$key=?";
}

$q .= implode(",", $b);
$q .= " where ".$where;

$stmt = $mysqli->prepare($q);
foreach($a as $key => $value)   
{   
    if (is_int($key))
        continue;   
    $stmt->bind_param($key, $value);
}


$stmt->execute();
$stmt->close();

}

This is still not compliant:

  • $where is an unknown string, should be with parameter binding.
  • $table is assumed an internal value, but should just be a direct table name to prevent any abuse there.

Upvotes: 0

Related Questions