0

I am new to php and coding for mysql. I am upgrading php code which used deprecated mysql_ code to mysqli_. I cannot get the format for this function converted to mysqli_ correctly. This code is in a functions.php code which is included by most of the other php code. 

function tep_db_input($string) {
 return mysql_escape_string($string);
}

I attempted to code as follows:

function tep_db_input($string) {
 return mysqli_escape_string($con, $string);
}

$con is my database connection. The error that I receive is:

Warning: mysqli_escape_string() expects exactly 2 parameters, 1 given in /home4/reinvest/public_html/members/includes/functions.php on line 7

Since I do have 2 parameters in the mysqli_escape_string(), I am lost as to what the issue is?

Dharman
  • 30,962
  • 25
  • 85
  • 135
Sue Todd
  • 19
  • 2
  • Please add the your code for your database connection. – Irvin Oct 06 '16 at 00:28
  • $con is not defined in that example – cnizzardini Oct 06 '16 at 01:56
  • 1
    **Don't do this**. Instead use prepared statements with placeholder values. Wrapping around the database functions is also adding a layer of abstraction where, considering the risks of an improperly escaped value, utmost clarity is absolutely necessary. – tadman Oct 06 '16 at 02:43
  • Here is the code, including the database connection: – Sue Todd Oct 06 '16 at 03:15
  • – Sue Todd Oct 06 '16 at 03:17
  • @tadman - I am not familiar with coding using prepared statements with placeholder values. I believe the $string is generic for all input fields. Can you give me an example of the coding you are referencing? – Sue Todd Oct 06 '16 at 03:21
  • @Irvin - I did have the connection name incorrect initially, but I still receive the same error message after making the correction. – Sue Todd Oct 06 '16 at 03:24
  • 1
    Right here. What `tep_db_input` does is anyone's guess based on the name. If you must manually escape, which is rare if you use [prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) then make it as obvious as possible what you're doing. Every query with manual escaping is a liability, so try and keep them to a minimum. The good news is most things can be done with prepared statements, so this is a non-issue most of the time. – tadman Oct 06 '16 at 03:29
  • @tadman - I did not write this code, obviously... :) I would just comment it out, but there are many modules that reference this function, e.g. $i_levels= tep_db_input($_REQUEST['i_levels']);... initially, I just removed the tep_db_input( , but worried that there may be an issue with doing that? – Sue Todd Oct 06 '16 at 03:41
  • this code is from a database update module... User is updating some fields in the frame... – Sue Todd Oct 06 '16 at 03:42
  • 1
    Where it came from is just historical facts. If you're interested in cleaning it up, look at how prepared statements work. Manual escaping is very tricky, if you forget there's trouble, so most modern database systems have placeholders like `?` or `:name` for the actual value and the driver handles adding the data for you. – tadman Oct 06 '16 at 03:50
  • Apparently, such a rewrite will do no good to anyone. Let me suggest to leave this code alone and instead of wasting your time with rewriting spend it to learning basic PHP. – Your Common Sense Oct 06 '16 at 04:33
  • @yourcommonsense - agreed, but I do not have the luxury of time to learn "basic PHP" as I am only helping someone migrate his site to a new server because the existing one is being decommissioned in the next couple of days. The website was created using WordPress/PHP and mysql... which as I am sure you know will not work in the newer releases of PHP. I updated everything but the mysql_escape_string. I have commented out that function until I have the time or someone can tell me how to resolve it. There are many programming languages and to be an expert in all would be impossible. Thx – Sue Todd Oct 06 '16 at 06:29
  • "Newer releases" is a vague term. I am sure that your new server is not that recent, so the problem solved. Besides, even for PHP 7 you can install an old extension manually. You see, doing something without an expertize can do more harm than good. So your help could turn into a disservice – Your Common Sense Oct 06 '16 at 07:20
  • @YourCommonSense - the data was transferred by HostGator to a new account. Their earliest PHP configuration is 5.4 and latest is 7.0. I know that you are an expert in your field, but having a little consideration would be useful to those not. I was not informed of a way to "install an old extension manually" . Sorry that you feel that my help was a disservice. From everything that I have researched to this point, changing mysql_ to at minimum mysqli_ was not only something I had to do, but suggested. Changing to PDO would have required more understanding than obviously I have. Thank you. – Sue Todd Oct 06 '16 at 13:22
  • so either 5.4, 5.5 and 5.6 would work like a charm with mysql ext - so what I said – Your Common Sense Oct 06 '16 at 13:50
  • If the warnings could be suppressed.. – Sue Todd Oct 06 '16 at 18:10
  • yes, warnings could be suppressed. – Your Common Sense Oct 08 '16 at 05:49
  • Does this answer your question? [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Dharman Feb 05 '22 at 15:34

2 Answers2

0

In the second function, you needed to pass $con into the, function.

Rick James
  • 135,179
  • 13
  • 127
  • 222
-1

If you want to clean up an input string I think it's better to use the command: mysqli_real_escape_string() I think it is enough to write: 

$string = mysqli_real_escape_string($con,$string);
Sergio Sarracino
  • 1
  • What do you mean by "I think"? Have you read the documentation about `mysqli_escape_string` and that this is only an alias for `mysqli_real_escape_string`? – Nico Haase Jan 11 '19 at 16:02