0

I've been doing some research on mysqli_real_escape_string() but I'm not really understanding how to properly use it in my case to help protect against SQLInjection, Using my code below, can someone help me correct this? I appreciate all the help. The other questions on here reguarding sql injection and php did not really answer my question reguarding the proper syntax usage in my format, When I used this: 

"$city = mysqli_real_escape_string($_POST['City']);

I got just my generic search no matter what the input of '%$city%' or '%$business%'

<?php
    $con = mysqli_connect(........);
    // Check connection
    if (mysqli_connect_errno())
       {
       echo "<option>Failed to connect to the Database</option>" ;
       }


     $city = mysqli_real_escape_string($con, $_POST['City']);
     $business = mysqli_real_escape_string($con, $_POST['Business']);

     $result = mysqli_query($con,"SELECT * FROM Business WHERE City LIKE '%$city%' AND BName LIKE '%$business%' ORDER BY City, BName ASC");
     while($row = mysqli_fetch_array($result)) 
     {
     // do stuff here
     }

     // No other results
     echo "<center>No other listings like $city or $business</center>";

     // Free result set
     mysqli_free_result($result);
     mysqli_close($con);
?>
Improve this question
4
  • 2
    Forget about mysql_real_escape_string() and the legacy mysql extension—it's abandoned and insecure. If you are using the new mysqli extension, use it all the time (among other reasons, because you can't mix two different database extensions). Prepared statements are the way to go; period. Commented Dec 1, 2014 at 10:26
  • I apologize that was a mistype on my part, I am using mysqli its just sanitizing ALL input, so my search keeps ending up being '%%' instead of '% USERS INPUTS IN VARIABLE FORM %' Commented Dec 1, 2014 at 10:39
  • 1
    If you have problems with your code, please post the real code. If want to prevent SQL Injection, please use prepared statements rather than escape functions. Commented Dec 1, 2014 at 10:48
  • Ok, I will look into prepared statements, Thank you for the help Commented Dec 1, 2014 at 10:58

1 Answer 1

Reset to default
2

You have to use mysqli_real_escape_string instead of mysql_real_escape_string because you are using mysqli_* functions.

string mysqli_real_escape_string ( mysqli $link , string $escapestr )

You have to rewrite your escape sequences to

$city = mysqli_real_escape_string ($con, $_POST['City']);
$business = mysqli_real_escape_string ($con, $_POST['Business']);

And for preventing sql injection use prepaid statements instead.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I apologize that was a mistype on my part, I am using mysqli its just sanitizing ALL input, so my search keeps ending up being '%%' instead of '% USERS INPUTS IN VARIABLE FORM %' The search works perfectly when I'm not using mysqli_real_escape_string()

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.