0

I searched through and viewed lots of questions before I asked. I did see this on Dagon, however it didn't mention the sanitize function. As I stated I am not a PHP expert, and I didn't know if that would make a difference in the syntax. Sorry for the Duplicate.

I am not a PHP expert, not even a frequent user, but I am trying to correct some PHP code for a client. I didn't write this code, I am just trying to resolve the errors. Can someone point me in the right direction?

Error Code - 

PHP Warning:  mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home5/tfgfouze/public_html/shop/shopping/index.php on line 62

PHP Code - 

function sanitize($var){
    return mysqli_real_escape_string(str_replace("`","\`", $var));
}
WebDesigner-Steph
  • 1
  • 2
  • 2
    `mysqli_real_escape_string()` requires a link to your database in addition to the string you are sanitizing. However, suggest to your client the benefits of refactoring this code to use [prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – Crackertastic Oct 17 '14 at 20:30
  • 2
    Don't escape when using MySQLi, use prepared statements/bind variables which will do it for you – Mark Baker Oct 17 '14 at 20:32

1 Answers1

2

mysqli_real_escape_string requires two arguments as explained the PHP documentation and the error

The first argument should be the variable carrying the database connection
The second argument should be the string that you want sanitized
Notice how I said string, because mysqli_real_escape_string works on sanitizing strings only. It will not work on sanitizng integers.

Also, my biggest advice here would be to stop using sanitization functions in general and to start using prepared statements.

Ali
  • 3,479
  • 4
  • 16
  • 31