-2

I use this line of code:

list($variable1, $variable2) = explode("|", $_POST['something']);

and after that, when I put both variables into mysqli_real_escape_string:

$variable1 = mysqli_real_escape_string($connection, $variable1);
$variable2 = mysqli_real_escape_string($connection, $variable2);

it doesn't work. I know this because double quotation marks won't insert into mysql database. Where am I wrong?

shone83
  • 23
  • 1
  • 8
  • 3
    Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 18 '17 at 17:43
  • 1
    Why are you using `@variable` instead of `$variable`? – aynber Apr 18 '17 at 17:44
  • 2
    You shouldn't be using `mysqli_real_escape_string` anymore, it's not safe. You should be using prepared statements: http://php.net/manual/en/mysqli.quickstart.prepared-statements.php – gen_Eric Apr 18 '17 at 17:45
  • 3
    _it doesn't work._ So it smokes, catches fire, what? – AbraCadaver Apr 18 '17 at 17:45
  • I am using $variable, @ it's a typo, sorry about that. I know about prepare, but before I learn that, I need this. If I insert "something" it won't work... – shone83 Apr 18 '17 at 17:52
  • 2
    Preparing statements are actually a whole lot easier than using mysqli_real_escape_string. You'll never have to worry about quoting your variables again, which eliminates a whole lot of syntax errors. – aynber Apr 18 '17 at 17:57
  • So, how prepare statements suppose to look for this? – shone83 Apr 18 '17 at 19:02

2 Answers2

0

@variable1 = mysqli_real_escape_string($connection, $variable1);

This code is not working at all. Syntax @variable1 is invalid. It should be 

$variable1 = mysqli_real_escape_string($connection, $variable1);
Marcin Orlowski
  • 72,056
  • 11
  • 123
  • 141
  • 1
    Let's not teach/propagate sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – Jay Blanchard Apr 18 '17 at 17:48
  • This is not about any practices but proper elementary syntax issue OP is having. I believe your comment here and under the question flags the dangers sufficiently. – Marcin Orlowski Apr 18 '17 at 17:51
0

You could use code below, or you can use a foreach loop to assign a variable to every existing key/value pair in the array.

$clean_post = mysqli_real_escape_string($connection, $_POST['something']);
$array_post = explode("|", $clean_post);
$value1 = $array_post[0];
$value2 = $array_post[1];
K. Tromp
  • 350
  • 1
  • 13
  • I now realize that mysqli_real_escape_string is not a problem why I can't insert text with double quotes into mysql database. Probel is definitly into this code: list($variable1, $variable2) = explode("|", $_POST['something']); but I can't find solution. – shone83 Apr 18 '17 at 22:57