mysqli_real_escape_string可捕获的致命错误错误

Question

i want to insert in db and use this code

$con=mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
        $sql = "select * from `mobiles` where `user_id`='$_SESSION[userid]' AND `id`='mysqli_real_escape_string($con,$_POST[con_id])' AND `activecode`='mysqli_real_escape_string($con,$_POST[regcode])' ";

but when i execute an error shown:

Catchable fatal error:  Object of class mysqli could not be converted to string in /home/mobileab/public_html/index.php on line 116

why how can i use this in my code for sql injection? thank you so

Answer 1

You are not concatenating correctly, functions are not executed in a string:

$sql = "select * from `mobiles` where `user_id`='$_SESSION[userid]'
          AND `id`='" . mysqli_real_escape_string($con,$_POST['con_id']) . "'
          AND `activecode`='" . mysqli_real_escape_string($con,$_POST['regcode']) . "'";

But I would recommend using a prepared statement instead.