PHP mysqli_real_escape_string returning empty string

Question

The code works fine if I don't use the mysql_real_escape_string function. But the function is returning nothing! I read that the problem may be due to the fact that I do not have a mysql connection but that does not seem to be the case!

Please help!

<?php
$con=mysqli_connect("localhost","root","pwd","mysql");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }

$title = mysqli_real_escape_string($_POST["title"]);
$comment = mysqli_real_escape_string($_POST["comment"]);
$type = $_POST["type"];
$time = date("Y-m-d H:i:s");


$sql="INSERT INTO posts
VALUES
('','$type','$time','$time','$title','$comment','0','0','0','0','0')";

if (!mysqli_query($con,$sql))
  {
  die('Error: ' . mysqli_error($con));
  }



mysqli_close($con);
header ("location: index.php");
?>

Answer 1

您需要将连接传递给函数

$title = mysqli_real_escape_string($con, $_POST["title"]);

Answer 2

According to http://php.net/manual/en/mysqli.real-escape-string.php you need to pass two parameters unless you are using the object oriented style.You should be using the format:

mysqli_real_escape_string ( $link , $escapestr )

Where $link is: A link identifier returned by mysqli_connect() or mysqli_init()

And $escapestr is: The string to be escaped. Characters encoded are NUL (ASCII 0), \\n, \\r, \\, ', ", and Control-Z.

Answer 3

php.net says
Procedural style
mysqli_real_escape_string ( mysqli $link , string $escapestr )
So you will need to add your $con to it:
$title = mysqli_real_escape_string($con, $_POST["title"]);