-2

I am trying to inout information from a get form into a database for obvious reason i do not want to risk sql injection so i am using escape string, however when i am trying to use mysqli real escape string it causes a blank output, but when i use plain get it works fine

So far i have managed to display it using echo $cly; Even when trying adding real escape string direct to the get mysqli_real_escape_string($_GET['cly']); this to does not work

$cly=$_GET['cly'];
$clyesc=mysqli_real_escape_string($cly);
echo $clyesc;
pomeh
  • 4,742
  • 4
  • 23
  • 44
Shay Crew
  • 1
  • 5
    If you don't want to risk SQL injection.... use bind variables with prepared statements rather than mysqli_real_escape_string – Mark Baker Aug 29 '14 at 09:26
  • [You have to provide a mysqli link as first parameter.](http://de1.php.net/manual/en/mysqli.real-escape-string.php) – Gerald Schneider Aug 29 '14 at 09:27
  • [Prepared statements and bind Variables](http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) – Mark Baker Aug 29 '14 at 09:30

2 Answers2

1

You will get blank output from mysqli_real_escape_string if you don't have a database connection open. This will cause PHP to emit the warning:

mysqli_real_escape_string() expects exactly 2 parameters, 1 given in - on line …

Connect to the database first and pass the link to it as the first argument.

That said, you should generally avoid mysqli_real_escape_string in favour of prepared statements with bound parameters.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • See [this question](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) for more on bound parameters. – Quentin Aug 29 '14 at 09:29
0

You need to add the first parameter as the connection object:

$cly=$_GET['cly'];
$clyesc=mysqli_real_escape_string($conn, $cly);
echo $clyesc;
Praveen Kumar Purushothaman
  • 164,888
  • 24
  • 203
  • 252