When mysqli_real_escape_string is not working so What are the other solutions without this?

Question

Here's my code:

if(isset($_POST['doSEARCH'])){
    $mysqli->query("SELECT * FROM data WHERE title = '$search'");
}
?>
<form action="" method="post">
    <input type="text" name="search" />
    <input type="submit" value="SAVE" name="doSEARCH" id="doSEARCH" />
</form>

1 Q: can I use this method without using mysqli_real_escape_string? Is it safe?

$search = filter_input(INPUT_POST, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
if(preg_match("/[^a-z0-9 ,.]/i",$search)){
    header('Location: 500error.html'); 
    exit();
}

2 Q: any other short solutins for this? (without using mysqli_real_escape_string)

thank you!

Is it so difficult to read the documentation?: http://php.net/manual/de/mysqli.real-escape-string.php Also this could be helpfull: http://stackoverflow.com/questions/7743372/php-error-mysqli-real-escape-string-expects-exactly-2-parameters-1-given — Dinistro, Nov 14 '14 at 06:49

score 1 · Accepted Answer · answered Nov 14 '14 at 07:01

You can just use

$mysqli = new mysqli("host", "userName", "my_password", "d_name");

if(isset($_POST['doSEARCH'])){
$search = mysqli_real_escape_string($mysqli,$_POST['search']);
$mysqli->query("SELECT * FROM data WHERE title = '$search'");
}

or

$query = sprintf("SELECT * FROM data WHERE title = '%s'",mysql_real_escape_string($_POST['search']));

When mysqli_real_escape_string is not working so What are the other solutions without this?

1 Answers1