-1

I have some strange observation with mysql_real_escape_string.

when trying this code on a localhost WAMP server, I am getting:

mysql_real_escape_string() expects parameter 1 to be string, array given

The code is like this:

$_POST= array (
  'level_id' => '4',
  'initLevel' => '4',
  'subject_ids' => 
  array (
    0 => '6',
  ),
  'category' => '11',
  'areas' => '-1',
  'dist_code' => '',
  'district' => '',
  'gender_preference' => '2',
  'race' => 
  array (
    0 => '1',
    1 => '2',
  ),
  'with_photo' => '0',
  'min_age' => '',
  'max_age' => '',
  'notification' => '1',
  'ban_tutor' => '',
  'sort_by' => 'regi_date',
  'fromdate' => '',
  'day' => '14',
  'month' => '5',
  'year' => '2017',
  'todate' => '2017-06-14',
  'result_page' => '10',
  'search' => 'Search Tutors',
);

$_POST = array_map('mysql_real_escape_string', $_POST);
echo '<pre>' . var_export($_GET, true) . '</pre>';exit;

but when I am trying the same on the live server. I am not getting any error, but the result is stripped the array values like this:

array (
  'level_id' => '4',
  'initLevel' => '4',
  'subject_ids' => NULL,
  'category' => '11',
  'dist_code' => '',
  'district' => '',
  'gender_preference' => '2',
  'race' => NULL,
  'with_photo' => '0',
  'min_age' => '',
  'max_age' => '',
  'notification' => '1',
  'ban_tutor' => '',
  'sort_by' => 'regi_date',
  'fromdate' => '',
  'day' => '14',
  'month' => '5',
  'year' => '2017',
  'todate' => '2017-06-14',
  'result_page' => '10',
  'search' => 'Search Tutors',
)

Need some direction, how to use it correctly.

Note: I know mysql_real_escape-string is deprecated and PDO is the the appropriate solution. I am just working on my client's server. The changing the complete system immediately is not feasible.

Pawan
  • 3,864
  • 17
  • 50
  • 83
  • What version of PHP is on the live site and what version are you using on your local test site? – RiggsFolly Jun 14 '17 at 11:37
  • on live site - 5.6.30 and localhost 5.6.25 – Pawan Jun 14 '17 at 11:39
  • what is the api used to connect with, `mysql_`? `mysqli_`? PDO? Other? and where's the HTML for this? @Pawan – Funk Forty Niner Jun 14 '17 at 11:42
  • there's also not enough code to support your question. Either you edit your post, or ping me back or take it up with the answer given below. If you don't like waiting for a solution, neither do I so put yourself in my shoes and walk that mile for a while ;-) – Funk Forty Niner Jun 14 '17 at 11:47
  • @RiggsFolly Least "you" got an answer [as did the OP](https://stackoverflow.com/a/44543766/1415724). – Funk Forty Niner Jun 14 '17 at 11:47
  • Even that would still be too good for 'em @RiggsFolly and basically doing "their" homework. Nah, I'll pass. He can take it up with the answer below. Not my idea of "playing ball" at all. I just voted as the generic close. – Funk Forty Niner Jun 14 '17 at 11:55
  • @Fred-ii- what is the api used - it is mysql. – Pawan Jun 14 '17 at 12:06

1 Answers1

0

First of all you should use my_sqli instead of mysql.

Now,

we can do something like this :

$escaped_row = array_map(array($link, 'mysqli_real_escape_string');

But array_map doesn't know to pass a connection as the first argument.

So my opinion is use array walk.

array_walk($_POST, function(&$string) use ($link) { 
  $string = mysqli_real_escape_string($link, $string);
});

Note: $link is your valid connection.

mysql_real_escape_string and array_map returns blank strings?

Ahmed Ginani
  • 6,522
  • 2
  • 15
  • 33