Converting mysql_real_escape to it's MySQLi equivalent

Question

I have this code:

<?php
@include_once('set.php');
@include_once('steamauth/steamauth.php');
if(!isset($_SESSION["steamid"])) {
        Header("Location: index.php");
        exit;
}
$link = $_POST["link"];
$link = mysql_real_escape_string($link);
$steam = $_SESSION["steamid"];
mysql_query("UPDATE users SET `tlink`='$link' WHERE `steamid`='$steam'");
Header("Location: settings.php");
exit;
?>

And I need to convert it to MySQLi because it's completely useless in's current state. Changing the "mysql_" to "mysqli_" doesn't work at all.

You should learn to use prepared statements instead of escaping. But what you want is `mysqli_real_escape_string($conn, $link)`. — Barmar, Nov 14 '15 at 19:11

Rajdeep Paul · Answer 1 · 2015-11-14T19:33:53.083

I think this is what you're looking for.

<?php

require_once('set.php');
require_once('steamauth/steamauth.php');
if(!isset($_SESSION["steamid"])) {
    header("Location: index.php");
    exit();
}
$steam = $_SESSION["steamid"];

// Open a new connection to the MySQL server
$connection = new mysqli($host, $username, $password, $databaseName);

// Check connection
if($connection->connect_errno){
    // error
    die('Connect Error: ' . $connection->connect_error);
}

// Escapes special characters in a string for use in an SQL statement
$link = $connection->real_escape_string($_POST["link"]);

// Execute query
$connection->query("UPDATE users SET tlink='{$link}' WHERE steamid='{$steam}'");

// Close connection
$connection->close();
header("Location: settings.php");
exit();

?>

Converting mysql_real_escape to it's MySQLi equivalent

1 Answers1