i have a form for job post now whenever user enters data and i use mysql real escape string it insert blank data in mysql what could be the reason? here is the code of site. the thing is i can't trust user input that's why i want to use mysql_real_escape string . i have been trying and changing codes from 2 hours but none of them gave me good result!
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = mysql_real_escape_string($data);
return $data;
}
$userid1 = $_SESSION['username2'];
$email= test_input($_POST['email']);
$salary= test_input($_POST['salary']);
$job_title = test_input($_POST['jtitle']);
$company = test_input($_POST['company']);
$company = mysql_real_escape_string($_POST['company']);
$location = test_input($_POST['location']);
$jobtype = test_input($_POST['jobtype']);
$description = test_input($_POST['description']);
$closingdate = test_input($_POST['closingdate']);
$application = test_input($_POST['application']);
$phone = test_input($_POST['phone']);
$company_description = test_input($_POST['company_description']);
$co_video = test_input($_POST['co_video']);
$website = test_input($_POST['website']);
$fbid = test_input($_POST['fbid']);
$twid = test_input($_POST['twid']);
function create_slug($string){
$replace = '-';
$string = strtolower($string);
//replace / and . with white space
$string = preg_replace("/[\/\.]/", " ", $string);
$string = preg_replace("/[^a-z0-9_\s-]/", "", $string);
//remove multiple dashes or whitespaces
$string = preg_replace("/[\s-]+/", " ", $string);
//convert whitespaces and underscore to $replace
$string = preg_replace("/[\s_]/", $replace, $string);
//limit the slug size
$string = substr($string, 0, 100);
//slug is generated
return $string;
}
$string = $job_title;
$slug = create_slug($string);
$query = mysqli_query($con, "SELECT * FROM `job` WHERE `url` LIKE '".$slug."%'");
$exists = mysqli_fetch_array(mysqli_query($con,"SELECT count(id) as notify FROM `job` where `url` LIKE '".$slug."%'"));
$notify = $exists['notify'];
if ($notify > 0)
{
$new_number = $notify + 1;
$newslug = $slug."-".$new_number;
$run = mysqli_query($con, "INSERT INTO `job` (`email`, `salary`, `username`, `job_title`, `company_name`, `location`, `job_type`, `description`, `phone`, `closing_date`, `application_url`, `company_description`, `video`, `website`, `fb`, `tw`, `category`, `url`) VALUES ('".$email."', '".$salary."', '".$userid1."', '".$job_title."', '".$company."', '".$location."', '".$jobtype."', '".$description."', '".$phone."', '".$closingdate."', '".$application."', '".$company_description."', '".$co_video."', '".$website."', '".$fbid."', '".$twid."', '".$lt."' , '".$newslug."')");
} else{
$run = mysqli_query($con, "INSERT INTO `job` (`email`, `salary`, `username`, `job_title`, `company_name`, `location`, `job_type`, `description`, `phone`, `closing_date`, `application_url`, `company_description`, `video`, `website`, `fb`, `tw`, `category`, `url`) VALUES ('".$email."', '".$salary."', '".$userid1."', '".$job_title."', '".$company."', '".$location."', '".$jobtype."', '".$description."', '".$phone."', '".$closingdate."', '".$application."', '".$company_description."', '".$co_video."', '".$website."', '".$fbid."', '".$twid."', '".$lt."', '".$slug."')");
well i think you have to use two parameters in mysqli_real_escape_string but first you have to create the first parameter by setting connection with database it should be like
<?php
//for setting up connection with database
$conn=mysqli_connect('yourhostname','your mysql user name','your mysql password','your database');
//than try using this parameter in mysqlirealescapestring
$data=mysqli_real_escape_string($conn,$data);
?>
i hope that this could work
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.