0

I am trying to use the mysqli_real_escape_string() Function in a query.

This is my current code:

 $Product_Id = substr($prod_name, 14, (strlen($prod_name)-14));
 $get_query = "SELECT P FROM Product WHERE Product_Id =' .mysql_real_escape_string((int)$Product_Id))";

This does not work, it creates the following error:

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in

But if i remove the mysqli_real_escape_string function my code works.

So what is the best way to do this, as i am trying to stop sql injection.

Monroe
  • 177
  • 11
  • [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – Jay Blanchard Apr 21 '16 at 15:21
  • Please read up on [strings](http://php.net/string). You quotes are wrong. – Jonnix Apr 21 '16 at 15:21
  • You have to learn the difference between SQL and PHP since they are different languages. `mysql_real_escape_string()` is a PHP function, not a SQL function. – Álvaro González Apr 21 '16 at 15:21
  • 1
    imo, please don't use any `mysql*_` functions at all. Also, never use `mysqli_real_escape_string` or `PDO Quote` functions. imo, always use `prepared queries with placeholders` whenever you are using variables, supplied from a user, in an SQL statement. – Ryan Vincent Apr 21 '16 at 15:33
  • 1
    Maybe you should look at PDO... With predefined queries you shouldn't care about SQL injections. – LibertyPaul Apr 21 '16 at 15:36
  • Would you supply the link to the tutorial that you are using, please? – Ryan Vincent Apr 21 '16 at 16:32
  • @RyanVincent https://www.youtube.com/watch?v=3WhC8PQVQbs&list=PL4AXXo9KTKTCq8Nq0NUmVof3riigdS4yR – Monroe Apr 21 '16 at 18:13
  • Ok, imo, I would recommend this: [Youtube video course for learning PHP PDO Programming](https://www.youtube.com/playlist?list=PLfdtiltiRHWF5Rhuk7k4UAU1_yLAZzhWc). Why? 1) It uses PDO. 2) when it introduces queries with parameters - it goes directly into prepared queries :) see: [PHP OOP Login/Register System: Database Querying (Part 8/23)](https://www.youtube.com/watch?v=PaBWDOBFxDc&index=8&list=PLfdtiltiRHWF5Rhuk7k4UAU1_yLAZzhWc). Takes longer to go through but it will set you up for all PHP PDO programming for a long while. – Ryan Vincent Apr 22 '16 at 17:52

1 Answers1

1

I am trying to use the mysqli_real_escape_string() Function in a query.

But you're actually not. In your query you're using mysql_real_escape_string().

Plus that query is malformed, so it wouldn't work anyway. Your quotes are in the wrong places. Try the following:

$get_query = "SELECT P FROM Product WHERE Product_Id = " . (int) mysqli_real_escape_string($Product_Id);

Since $Product_Id is being cast to an integer, you won't need to wrap it in quotes within the query (assuming Product_Id column is integer-based; since you're casting it to an integer, I'm assuming it is).

And moving the type cast (int) from the argument within mysqli_real_escape_string() to actually preceding the function is what you're looking for. Although it's not necessary to cast $Product_Id at this time as it is redundant and could actually pose more problems than it'd solve in some circumstances (Ie. assume $Product_Id was somehow set to a string [$Product_Id = 'Marcus'], and you then cast it to an integer: (int) $Product_Id it'd return 0, but no error). A negative integer would also slip through which I'm assuming you don't have negative $Product_Id's, right? There are much better ways to detect, and handle, variable types prior to sending them to a query. But we can get into that another time.

In your query you had an erroneous single-quote (WHERE Product_Id =') which was causing a parsing error.

mferly
  • 1,646
  • 1
  • 13
  • 19