1

I have a function to making a insert query, But if i use mysqli_real_escape_string its not response with the values. This is the problem inside the array map so i can't figure out how to solve this.

Server version: 5.6.24 - MySQL Community Server (GPL)

My function is:

function insertQryStr($array, $table){
    $insertUrl = "insert into %s(%s) values('%s')";
    $insertQryStr = sprintf($insertUrl, $table, implode(', ',@array_map('mysql_real_escape_string', @array_keys($array))), implode("', '",  @array_map('mysql_escape_string', $array)));
    return $insertQryStr;
}
  • 1
    What does _its not response with the values._ means??? – Murad Hasan May 27 '16 at 19:03
  • 2
    You've put `@` at the beginning of the functions. That's the error suppression operator. Take that off and it'll tell you why it isn't working. – castis May 27 '16 at 19:04
  • 2
    Use `mysqli_` functions rather than `mysql_escape_string` and `mysql_real_escape_string`. – wogsland May 27 '16 at 19:05
  • @FrayneKonok, if i use `mysqli_real_escape_string` then the query looks like : _insert into table_name(, , , , , , ) values('', '', '', '', '', '', '')_ –  May 27 '16 at 19:05
  • @castis, If i do that than some warning comes out. –  May 27 '16 at 19:05
  • What is the warning you receive? – castis May 27 '16 at 19:06
  • @wogsland, I am asking about that why i can't use `mysqli_*`... –  May 27 '16 at 19:06
  • @castis, `Warning: mysqli_escape_string() expects exactly 2 parameters, 1 given ...............` –  May 27 '16 at 19:07
  • 3
    Just stop. Please, you're out of control here. Read the documentation on [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) before just trying things randomly. Manual escaping is extremely error prone and strongly discouraged. – tadman May 27 '16 at 19:10
  • 1
    the mysql_ has been removed in php 7.0.0 http://php.net/manual/en/intro.mysql.php and escaping will not protect from sql injection http://bobby-tables.com/ – Jason K May 27 '16 at 19:10
  • @JasonK Technically escaping *is* to protect you from SQL injection. – tadman May 27 '16 at 19:11
  • Possible duplicate of [mysql\_real\_escape\_string and array\_map returns blank strings?](http://stackoverflow.com/questions/18625737/mysql-real-escape-string-and-array-map-returns-blank-strings) – castis May 27 '16 at 19:12
  • The call to `array_map` is failing because `mysqli_real_escape_string` when used as a function requires 2 arguments, the first being `mysqli $link` [as per the documentation](http://php.net/manual/en/mysqli.real-escape-string.php). – castis May 27 '16 at 19:13
  • @castis, How can i use the `array_walk` in my function?? –  May 27 '16 at 19:15

1 Answers1

1

The call to array_map is failing because mysqli_real_escape_string when used as a function requires 2 arguments, the first being mysqli $link as per the documentation.

array_map doesn't know to pass a connection as the first argument. A better method would be from this answer.

To use this with your function, you'll need to pass in a link to the database.

function insertQryStr($array, $table, $link) {
    array_walk($array, function(&$string) use ($link) { 
        $string = mysqli_real_escape_string($link, $string);
    });

    return sprintf("insert into %s (%s) values('%s')",
        $table,
        implode(", ", array_keys($array)),
        implode("', '", $array)
    );
}

Although a better idea would be to do this before calling insertQryStr() as to avoid tight coupling.

Having said all that, instead of manually escaping data this way, you should check out and definitely use prepared statements

Community
  • 1
  • 1
castis
  • 8,154
  • 4
  • 41
  • 63