mysqli_real_escape_string challenge-Win a cappuchino and save a lady from insanity.

#1
april415

Posted 01 April 2011 - 12:00 AM

Newbie

Members
6 posts

Alright, A cappuccino for the solution!
I know that I need to utilize the mysqli_escape_real_string to prevent apostrophes from crashing my insertion script :

<?php 

  $first_name = $_POST['firstname'];

 

  $last_name = $_POST['lastname']; 

 

  $when_it_happened = $_POST['whenithappened'];

 

  $how_long = $_POST['howlong'];

 

  $how_many= $_POST['howmany'];

 

  $alien_description = $_POST['aliendescription'];


  $what_they_did = $_POST['whattheydid'];


  $fang_spotted = $_POST['fangspotted'];


  $email = $_POST['email'];


  $other = $_POST['other'];


  $dbc = mysqli_connect('localhost','fang','aprildawn','aliendatabase')

 

 or die('error connecting to MYSQL server.');


 $query = "INSERT INTO aliens_abduction (first_name, last_name, when_it_happened, how_long, " .

  

  "how_many, alien_description, what_they_did, fang_spotted, other, email) ".

  

  "VALUES('$first_name', '$last_name', '$when_it_happened','$how_long', '$how_many', " .

  

  "'$alien_description', '$what_they_did', '$fang_spotted', '$other', '$email')";

 

 $result = mysqli_query($dbc, $query)

  

  or die('DO NOT USe APOSTROPHES!');

 

mysqli_close($dbc);

.

My question is this...
how do I use mysqli_escape_real_string? I've tried the following syntax: VALUES('".mysqli_real_escape_string( '$first_name')"; but this doesn't work:mad::mad:

Seriously, if anyone can give me a solution to the mysqli_real_escape_string quandary I'll buy you a cappuccino !

cheers April

Edited by Roger, 01 April 2011 - 11:20 AM.
added code tags

#2
rhossis

Posted 02 April 2011 - 01:38 AM

Learning Programmer

Members
46 posts

Hi, the mysqli_real_escape_string requires two parameters , the first should be your DB connection resource, which for you is $dbc. Try for example

$first_name=mysqli_real_escape_string($dbc,$first_name);

#3
april415

Posted 02 April 2011 - 03:33 PM

Newbie

Members
6 posts

thanks for outlining the function, now where in my script should I be placing these mysqli_real_escape_string ? I would think the query , but if I do that , will that still be an acceptable query statement for MYSQL? How do I write that out. Perhaps like this : VALUES ("' mysqli_real_escape_string ($dbc ) ($first_name) , etc.....?

thanks again for your attention, if you have any more suggestions flow them my way!
when I get the working script, you will get the cappuccino,promise!!:P
Cheers,
April

#4
rhossis

Posted 03 April 2011 - 12:58 PM

Learning Programmer

Members
46 posts

Hi,

Given that the $dbc and $first_name are function parameters, they should be separated by commas and not brackets, thus if you were to do this in your query it would look something like VALUES ('". mysqli_real_escape_string($dbc,$first_name)

However, for readability, I think it would be better for you to escape your input variables before creating your query string, or better yet we could write out a function to handle that. I have just escaped the $first_name variable out of the query
string in this example. It should work. I like mocha :P


  $first_name = $_POST['firstname'];

  $last_name = $_POST['lastname']; 

  $when_it_happened = $_POST['whenithappened'];

  $how_long = $_POST['howlong'];

  $how_many= $_POST['howmany'];

  $alien_description = $_POST['aliendescription'];

  $what_they_did = $_POST['whattheydid'];

  $fang_spotted = $_POST['fangspotted'];

  $email = $_POST['email'];

  $other = $_POST['other'];

  $dbc = mysqli_connect('localhost','fang','aprildawn','aliendatabase')

 			or die('error connecting to MYSQL server.');

  $first_name=mysqli_real_escape_string($dbc,$first_name);	//Escape input before creating query string (we can write a function to handle this)

  $query = "INSERT INTO aliens_abduction (first_name, last_name, when_it_happened, how_long,

             how_many, alien_description, what_they_did, fang_spotted, other, email)

			VALUES('$first_name', '$last_name', '$when_it_happened','$how_long', '$how_many',

					'$alien_description', '$what_they_did', '$fang_spotted', '$other', '$email')";

  $result = mysqli_query($dbc,$query)

	or die('DO NOT USe APOSTROPHES!'.mysqli_error($dbc)); //Added error description

	mysqli_close($dbc);

#5
april415

Posted 05 April 2011 - 02:09 PM

Newbie

Members
6 posts

thank you so much for your help, it works! Now the question:How do I get you your mocha!:)

One more thing I'm curious about . I came across this code on a forum that for the life of me looks like it shouldn't work . His claim is that it does . It uses mysqli_real_escape_string right in the query . I've tried it but t doesn't seem to work . If you have a spare moment, take a look and tell me your thoughts.
take care and cheers
April
The link to the code

#6
Mark Wylde

Posted 06 April 2011 - 07:49 AM

Learning Programmer

Members
46 posts

april415 said:

Hey, if you look at the code below for example:

 ('".mysqli_real_escape_string($mysqli, $POST['churchname'])."',

You will see it's not actually part of the mysql string, but it comes out of the string, inputs in the variable escaped then continues.

So in reality the string above would look like the following to MySQL:

 ('church\'s name',

#7
rhossis

Posted 06 April 2011 - 09:41 AM

Learning Programmer

Members
46 posts

Hi. Your welcome. Thanks for the mocha and appreciating the humble effort to answer :) , but its good enough just knowing I have helped you in this particular issue with PHP, as I too seek to be helped out from time to time in several areas. As Mark indicated, the escape function is just concatenated to the query string, but the string is escaped in order to do this. I refer back to your first post where you posted a snippet of your query VALUES('".mysqli_real_escape_string( '$first_name')"; Is this the query you are using? I think your errors are probably just syntax errors. It is the reason we try to do this out of the query string.