I've been doing some research on mysqli_real_escape_string() but I'm not really understanding how to properly use it in my case to help protect against SQLInjection, Using my code below, can someone help me correct this? I appreciate all the help. The other questions on here reguarding sql injection and php did not really answer my question reguarding the proper syntax usage in my format, When I used this:
"$city = mysqli_real_escape_string($_POST['City']);
I got just my generic search no matter what the input of '%$city%' or '%$business%'
<?php
$con = mysqli_connect(........);
// Check connection
if (mysqli_connect_errno())
{
echo "<option>Failed to connect to the Database</option>" ;
}
$city = mysqli_real_escape_string($con, $_POST['City']);
$business = mysqli_real_escape_string($con, $_POST['Business']);
$result = mysqli_query($con,"SELECT * FROM Business WHERE City LIKE '%$city%' AND BName LIKE '%$business%' ORDER BY City, BName ASC");
while($row = mysqli_fetch_array($result))
{
// do stuff here
}
// No other results
echo "<center>No other listings like $city or $business</center>";
// Free result set
mysqli_free_result($result);
mysqli_close($con);
?>
You have to use mysqli_real_escape_string
instead of mysql_real_escape_string
because you are using mysqli_*
functions.
string mysqli_real_escape_string ( mysqli $link , string $escapestr )
You have to rewrite your escape sequences to
$city = mysqli_real_escape_string ($con, $_POST['City']);
$business = mysqli_real_escape_string ($con, $_POST['Business']);
And for preventing sql injection
use prepaid statements
instead.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.