1

I was wondering if the code below is the correct way to use mysqli_real_escape_string() when storing users data in a database.

Here is the PHP & MySQL code.

if (mysqli_num_rows($dbc) == 0) {
        $mysqli = mysqli_connect("localhost", "root", "", "sitename");
        $dbc = mysqli_query($mysqli,"INSERT INTO info (user_id, url) 
                                     VALUES ('$user_id', 'mysqli_real_escape_string($url)')");
}


if ($dbc == TRUE) {
        $dbc = mysqli_query($mysqli,"UPDATE info 
                                     SET url = 'mysqli_real_escape_string($url)' 
                                     WHERE user_id = '$user_id'");
Improve this question

2 Answers 2

Reset to default
1

No, mysqli_real_escape_string() is not executed within your string. You need to move it out into the PHP code:

$eUrl = mysqli_real_escape_string($url);
mysqli_query($mysqli, "INSERT ... VALUES ('$eUrl')");

But I (and, I'm sure, others here) will argue that PDO and variable binding are the "correct" way to escape things in this modern world.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Almost: You need to put the function calls outside the string:

"... VALUES ('$user_id', '".mysqli_real_escape_string($url)."')");

Notice the closing " and the concatenating . before and after the function call.

And, we don't know where $user_id comes from. If it comes from the outside, that needs to be escaped, too.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.