mysqli_real_escape_string in function, not working?
Question
I made a function exactley after how our teacher made in an online lecture. But its not working, the error message said first that there vas a varible missing. So i checked it up and on w3schools they say that you need the connection as varibale and the string. So I added the connection, but then i got an error that said that the varible vas undefined. I tried putting the function in different places in the php-document but i dont know how to work this one out, plz help?
My code (i deleted my passwords):
<?php
// A function to help prevent SQL Injection.
function preparePostData($value)
{
// Removes slashes (/) if the server automaticlly adds them.
if(get_magic_quotes_gpc()){
$value = stripslashes($value);
}
/* Adds quote marks if the value is not numeric or a numeric string.
mysqli_real_escape_string adds slashes (/) if there is any character thats not allowed
and then the text string will not be processed in MySQL. */
if(!is_numeric($value)){
$value = "'" . mysqli_real_escape_string($dbConn, $value) . "'";
}
return $value;
}
// If the submit button is set do this..
if(isset($_POST['saveNews'])){
// Connection to db
$dbConn = mysqli_connect("localhost","sabe0011","password","sabe0011");
// Check connection
if(mysqli_connect_errno($dbConn)){
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// SQL question
$insertSQL = "INSERT INTO News (NewsId, Headline, News, Date) VALUES ('NULL',".preparePostData($_POST['newsHeader']).",".preparePostData($_POST['news']).",".preparePostData($_POST['newsDate']).");";
if(mysqli_query($dbConn, $insertSQL)){
echo "Nyheter har sparats";
}
else{
echo "Följande fel uppstod " . mysqli_error() . ".";
}
}
// Connection to db
$dbConn = mysqli_connect("localhost","sabe0011","password","sabe0011");
$dbConn->set_charset("utf8");
// Check connection
if(mysqli_connect_errno($dbConn)){
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$newsSQL = mysqli_query($dbConn,"SELECT * FROM News ORDER BY Date;");
echo "<div>";
if(mysqli_num_rows($newsSQL) > 0)
{
while($rowNews = mysqli_fetch_array($newsSQL)){
echo '<h2>' . $rowNews["Headline"] . '</h2>' . '<time>' . $rowNews["Date"] . '</time>' . '<p>' . $rowNews["News"] . '</p>';
}
}
else{
echo "Inga nyheter hittades";
}
echo "</div>";
?>
2 answers
solution1
0 ACCPTED 2013-05-11 17:20:01
If you connect at the top of your script you'll need to somehow pass it your function. You have two options. Either make it a parameter in you function. function reparePostData($value,$dbconn); Or you can declare your connection a global variable inside the function, and allow the function to access this variable inside the function global $dbconn; .
solution2
-2 2013-05-11 17:16:31
You are using this function wrong way.
mysqli_real_escape_string has nothing to do with POST data . Only magic quotes do.
So, you have to split this function into two:
- One which cleans your POST data from magic quotes .
One which produces a correct string literal
function prepareSQLliteral($value) { if(!is_numeric($value)){ global $dbConn; $value = "'" . mysqli_real_escape_string($dbConn, $value) . "'"; } return $value; }
However, using manual formatting is not the way to go.
the same processing have to be done not on the global variable but on the very value that is going into query. And only prepared statements can do that.
But because mysqli prepared statements are quite unusable, you have to use PDO instead.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.