MySQL PHP mysql_real_escape_string() - is this value not a string?
Question
I am trying to update a record with the info from a multiple select box, I had it working fine when I was using INSERT INTO to add a new row, but now that I am trying to add it to this code that is using mysql_real_escape_string() it is returning the error message at the bottom of this post. I presume it has something wrong with the value I'm trying to pass into it, but I don't know how to format it to make PHP happy!
$query = "UPDATE studies
SET strategies = '" . mysql_real_escape_string($strategies) . "' WHERE id = '" . mysql_real_escape_string($id) . "'";
while($row = mysql_fetch_array($result)) {
$strategylist = $row['name'];
$strategyname = htmlspecialchars($row['name']);
$pagelink = str_replace(" ","_",$strategylist);
echo '<option value="<a href="strategies.php?strategy=' . $pagelink . '">'.$strategyname.'</a>" >' . $strategyname . '</option>' . '\n';
}
Warning: mysql_real_escape_string() expects parameter 1 to be string, array given on line 100 (that is the line above that starts SET strategies ='".....)
3 answers
solution1
3 2009-07-01 12:39:13
Looks like $strategies is an array rather than a string. Since you have a multi-select box, if they select multiple items, $strategies will come back as an array.
It comes down to how you want to store multiple selections in that single database column. If you just want to append the selections together into one big string, then use implode():
// Sets strategies to a comma-separated list of selected strategies.
$query = "UPDATE studies
SET strategies = '" .
mysql_real_escape_string(is_array($strategies) ? implode(',', $strategies) : $strategies) . "'
WHERE id = '" . mysql_real_escape_string($id) . "'";
ETA:
As an aside, what you are doing here looks really scary. You have an html link for a value on a select box option, which you are then storing in the database (presumably to display later?).
This is really opening yourself up for a trivial XSS attack where somebody submits a fake form with their own options containing links to an attack site, which you happily store in your DB and display later on your site.
Store an ID (or list of ids in your case) or something in your database, then build the links later when you need to display them.
solution2
0 2009-07-01 12:34:47
i think
$id is not string
mysql_real_escape_string($id)
solution3
0 2009-07-01 12:35:42
有人抱怨$ strategies / $ id是一个数组,应该是一个字符串。
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.