I am creating a magento module and and in the controller I am trying to generate a query. ex: "INSERT INTO ". $resource->getTableName('mymod/mymodtable')." SET
"INSERT INTO ". $resource->getTableName('mymod/mymodtable')." SET
pid ='".mysql_real_escape_string($pp['id'])."'";
On my local setup this works ok, and I get the expected id
in pid
. But as soon as I upload it to my server, that portion becomes blank. I know that the database connection exists, because it inserts a new row with blank pid
on server. I have tried var_dump
and it does prove that $pp['id']
has the value, yet mysql_real_escape_string
returns blank. I also tried mysqli_real_escape_string
, but nothing. Any ideas?
Which database interface are you using? mysql_real_escape_string
should be used only with mysql_query
, and you shouldn't be using that interface if you can avoid it. Without a valid connection it may not function correctly.
When using mysqli
you should be using parameterized queries and bind_param
to add user data to your query. Calling the escaping function manually is usually a mistake.
If you're using Magento, you might want to look at how to escape values using the Magento database layer.
Per this previous question , you probably don't have a "database connection".
What's often confusing is, that when the mysql_real_escape_string
documentation talks about a database connection, they specifically mean a database connection opened with the mysql_connect
function.
If you're using Magento's standard objects to talk to the database, you don't have a mysql_connect
connection, you have a PDO connection (via a Zend_Db_Adapter
class ). PDO is designed to encourage parameterized queries.
So, your options here
Go with the flow and build your queries using parameterized query strings. (if you can't figure out how a new questions with some code samples should set you right).
The adapter object has a quote method which you can use to quote your strings
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.