0

I know this has been asked many times before but I'm still stumped. I'm obviously missing something but I have been unable to figure out how to successfully escape the apostrophe when sending a mysql query from php. Why does this not work when everything I have read says it should.

<?php
$title = "havin' fun";
$con=mysqli_connect($server,$username,$password,$database);
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
 $title = mysqli_real_escape_string($title); 
 $result = mysqli_query($con,"SELECT id,artist,title FROM songs WHERE title     = '$title'");
if($result) {
    while($row = mysqli_fetch_assoc($result)) {
    $id = $row['id'];   
    $artist = $row['artist'];
    $title = $row['title'];
    echo $id.' - '.$artist.' - '.$title.'<br>';
    }
}else echo 'No Results';
mysqli_close($mysqli);
?>
Pete
  • 53
  • 7
  • Use prepared statements you shouldn't escaped. – chris85 Aug 25 '15 at 23:55
  • are you saying nothing you read uses the function properly? –  Aug 26 '15 at 00:01
  • Note, your escaping isn't working because you don't have the connection in the function. `$title = mysqli_real_escape_string($con, $title);`. http://php.net/manual/en/mysqli.real-escape-string.php From the manual...`mysqli_real_escape_string ( mysqli $link , string $escapestr )` – chris85 Aug 26 '15 at 00:01

1 Answers1

0
 $title = mysqli_real_escape_string($title);// add another parameter for connection

For example:

  $title = mysqli_real_escape_string($conn, $title)
aldrin27
  • 3,407
  • 3
  • 29
  • 43