mysqli_escape_string how do i implement it?

Question

Hi I have a question about my writing to my database:

I'm new to the mysql_escape_string because a friend told me. Since I use mysql_escape_string it doesn't write to my db anymore.

Here is the code:

////////////////////////////////////////////////////////////////
 $iets = $_POST['aantal'] + $_POST['begin'];

 for ($i = $_POST['begin'] ; $i < $iets ; $i++){
     $rows = $rows.'a'.$i.', ';
 }

 $rows = mysql_escape_string(trim($rows, ', '));
/////////////////////////////////////////////////////////////////////
 $iets = $_POST['aantal'] + $_POST['begin'];

 for ($i = $_POST['begin'] ; $i < $iets ; $i++){
     $r = 'a'.$i;
    $values = $values.'\''.$_POST[$r].'\', ';
 }

 $values = mysql_escape_string(trim($values, ', '));


$naam = mysql_escape_string($_POST['naam']);

mysql_query("INSERT INTO $naam
(
$rows
)
VALUES 
(
$values
)");
mysql_close($con);


printf("%s<br />%s", $values, $rows);

When I have :

aantal = 3
begin = 4

The output of printf, with a4=abcdef, a5=ghijkl, a6=mnopq is:

\'abcdef\', \'ghijkl\', \'mnopq\'<br />
a1, a2, a3

I don't get it, the backlashes shouldn't have an impact right?

Answer 1

The point of escaping is to stop characters with special meaning (e.g. ') from having that special meaning. Since you are escaping the fragment of SQL containing all your quoted values, you are escaping the quotes and stopping them from quoting the values.

You need to escape each value before quoting it.:

$values = $values.'\''.$_POST[$r].'\', ';
                     //^^^^^^^^^^ Escape this 

However:

Don't use mysql_escape_string it is broken has been replaced with mysql_real_escape_string, but don't even use that, don't use mysql_* at all, it is deprecated.

Pick a modern replacement and use prepared statements and bound arguments instead of escaping strings and mushing them together into SQL via string concatination.