Converting a mysql_real_escape_string function to mysqli

Question

I have the following code, within a larger php script:

$FullSQL = $inSQL;
        foreach($ROW as $item) {
            $ItemName = (string)$item->getName();
            $fieldValue = $ROW->$ItemName;
            $FullSQL = $FullSQL . "'" . mysql_real_escape_string($fieldValue) . "', ";
        }
        $inSQL_len = strlen($FullSQL) -2;
        $FullSQL=substr($FullSQL, 0, $inSQL_len ) . ")";
        echo "INSERTED FullSQL=" . $FullSQL . "<br><br>";

        if (!mysqli_query($con,$FullSQL)) { die('Error insering tmporder: ' . $FullSQL . " ERROR:" . mysqli_error()); }
        else {
             echo "INSERTED inSQL=" . $FullSQL . "<br><br>";
        }

    }
}

I've managed to convert the whole script to mysqli, except that above section. As expected, the mysql_real_escape_string($fieldValue) part is generating a mysql depreciation error.

How to I convert that piece of code to use mysqli? It requires two variables, and there is only one.

Thanks.

Answer 1

What about

 mysqli_real_escape_string ($con, $fieldValue);

Where $con is your link identifier returned by mysqli_connect() or mysqli_init().

---

If we compare syntax of mysqli_real_escape_string() and mysql_real_escape_string() we have

 mysqli_real_escape_string ($link, $string);
 mysql_real_escape_string ($string[, $link=NULL]);

So old function also had same arguments but in different order and $link was optional in deprecated version.

---

If you decide to use object style instead of procedural use it like this

 $con = new mysqli ("host", "user", "pwd", "db");
 ...
 $safe_string = $con->real_escape_string ($string);