0

Someone told me that I need to escape $_POST but once I did this my variables are just empty. What am I missing? 

<?php
$order = $_POST['order'];
$heading = $_POST['heading'];
$content = $_POST['content'];
?>

<?php
echo $order . $heading . $content;

$order = mysqli_real_escape_string($order);
$heading = mysqli_real_escape_string($heading);
$content = mysqli_real_escape_string($content);
?>
<?php
echo $order . $heading . $content;

$sql="INSERT INTO faq (`order`, `heading`, `content`)
VALUES ('$order','$heading','$content')";

if (!mysqli_query($con,$sql))
  {
  die('Error: ' . mysqli_error($con));
  }
echo "1 record added";
Smandoli
  • 6,919
  • 3
  • 49
  • 83
Michael St Clair
  • 5,937
  • 10
  • 49
  • 75
  • 1
    Have you verified that $_POST contains the values you expect? – Surreal Dreams Jun 27 '13 at 21:10
  • 4
    Do you need to use `mysqli_real_escape_string()`? – alex Jun 27 '13 at 21:11
  • 4
    Why not prepare it instead? – Dave Chen Jun 27 '13 at 21:11
  • you shouldn't be using mysql_ functions anyhow. Look into prepared statements for mysqli. – Kai Qing Jun 27 '13 at 21:11
  • 2
    For starters, you can't mix and match `mysql_` and `mysqli_` functions. They're not interchangeable. You can escape the variables like you are doing (by using `mysqli_real_escape_string`) but the better practice would be to look into _prepared statements_. – War10ck Jun 27 '13 at 21:11
  • yes, because originally I was using $_POST directly in the query, which I now know is bad – Michael St Clair Jun 27 '13 at 21:12
  • The mysql_ functions are deprecated, use mysqli or pdo instead. Prepared statements are better for escaping. Yes you have to escape post data for sql if you want to save it to a relational database. – inf3rno Jun 27 '13 at 21:13
  • I changed it to mysqli, still just insert an empty row – Michael St Clair Jun 27 '13 at 21:14
  • 1
    @inf3rno That's not entirely accurate. Only if the values are being dropped straight into the statement, as they are done here, should they need to be escaped. When the values are properly bound ("binded") in the SQL statement, you do not need to escape them because the `query` is sent to the database separately from the `parameters`. See [this](http://stackoverflow.com/questions/3143614/do-php-pdo-prepared-statments-need-to-be-escaped#answer-3143650) link for references. – War10ck Jun 27 '13 at 21:31
  • What happens if you echo your $sql variable before you run the query? What does the actual query look like? – jcsanyi Jun 27 '13 at 21:37
  • INSERT INTO faq (`order`, `heading`, `content`) VALUES ('', '', '') – Michael St Clair Jun 27 '13 at 21:41
  • I just edited the code, the variables echo nothing after the escape string – Michael St Clair Jun 27 '13 at 21:45
  • According to this post http://php.net/manual/en/mysqli.real-escape-string.php the string will be empty if no connection is open. could that be the case? – RST Jun 27 '13 at 22:01

3 Answers3

3

I apologize - I must have been asleep this morning. This is something we should have caught earlier.

There were actually two problems in your original code:

  1. Since you're using the mysqli_* functions, you need to use mysqli_real_escape_string() instead of the mysql_real_escape_string() that was originally in your question. You've already corrected this in the question, but it probably led to us overlooking the second problem.

  2. mysqli_real_escape_string() takes different arguments than mysql_escape_string(), and the first argument needs to be a connection identifier. If you change your code to this, it should work:

    $order = mysqli_real_escape_string($con, $order);
$heading = mysqli_real_escape_string($con, $heading);
$content = mysqli_real_escape_string($con, $content);

As many of the comments pointed out, you may also want to look into using prepared statements instead.

While the code that you have is now secure from SQL injection, the advantage of prepared statements is that escaping is built in automatically and you don't have to remember to escape your variables every time you do a query.

Community
  • 1
  • 1
jcsanyi
  • 8,133
  • 2
  • 29
  • 52
0

Before you blame the real_escape_string as the problem. Check if there are any values at all.

foreach($_POST = $Name => $Value) {
     echo $Name.' '.$Value.'<br />';
}
jacobgelman
  • 334
  • 2
  • 12
0

You may not have mysqli enabled in your PHP configuration. Check your phpinfo() to find out. Info here.

Enable it if necessary. However, the advice to change to PDO is good in any case.

Also, assuming you are not on a production server, MAKE SURE YOU HAVE ERRORS SET TO DISPLAY. Essential for trouble-shooting.

If mysqli is not enabled it will result in a fatal error. Probably one that shows no matter your display settings. But still, get errors configured to show while you figure this out.

Smandoli
  • 6,919
  • 3
  • 49
  • 83