• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1143
  • Last Modified:

What has caused this error message: mysqli_real_escape_string() expects 2 parameters.

I have my code attached.

I introduced, what I'm believing to be a better approach to an INSERT statment from the standpoint of security and SQL integrity. But just when I thought I had my act together, I get this error message:

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/hihatweb/public_html/Showdown/admin/winneredit.php on line

What have I done to result in this error?

FYI: The entire error message is:
Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/hihatweb/public_html/Showdown/admin/winneredit.php on line 15

I get that error at 15, 17 and 21. Basically it happens everytime I use the mysqli_real_escape_string.
$first_name = mysqli_real_escape_string(trim($_POST['first_name']));
 
$last_name = mysqli_real_escape_string(trim($_POST['last_name']));
 
$text = $_POST['bio'];
$textBr = nl2br($text);
$finaltext = mysqli_real_escape_string($textBr);
 
$city = mysqli_real_escape_string($_POST[city]);
 
$query = "UPDATE winners SET first_name='$first_name',
last_name='$last_name', 
email='$_POST[email]',
state='$_POST[state]', 
winner_type='$_POST[winner_type]',
bio = '$finaltext',
radio_id = '$_POST[radio_id]', 
image_file = '$_POST[image_file]',
mp3_file = '$_POST[mp3_file]', 
city = '$city', 
press_release = '$_POST[press_release]',
region = '$_POST[region]' 
WHERE id = '$_POST[id]'";
 
$result = mysqli_query($cxn, $query)
or die ("Couldn't execute query.");

Open in new window

0
brucegust
Asked:
brucegust
  • 5
  • 3
2 Solutions
 
hieloCommented:
you need to pass the connection resource/object as the second parameter -ex:
$conn = mysql_connect("localhost","username","password");
...
$first_name = mysql_real_escape_string(trim($_POST['first_name']), $conn);
0
 
brucegustPHP DeveloperAuthor Commented:
Is there any difference between mysqli_real_escape_string and mysql_real_escape_string?

Also, why did my INSERT statement work (I have that posted below)? I used the same format but didn't get an error?
$cxn = mysqli_connect($host,$user,$password,$database)
or die ("couldn't connect to server");
 
$first_name = mysqli_real_escape_string(trim($_POST['first_name']));
 
$last_name = mysqli_real_escape_string(trim($_POST['last_name']));
 
 
$text = $_POST['bio'];
$textBr = nl2br($text);
$finaltext = mysqli_real_escape_string($textBr);
 
$city = mysqli_real_escape_string($_POST[city]);
 
$insert = "insert into winners (first_name, last_name, email, state, bio, radio_id, image_file, mp3_file, city, press_release, region, winner_type)
values ('$first_name','$last_name', '$_POST[email]', '$_POST[State]', '$finaltext', '$_POST[radio_id]', '$_POST[image_file]', '$_POST[mp3_file]', '$city', '$_POST[press_release]', '$_POST[region]','$_POST[winner_type]')";
$insertexe = mysqli_query($cxn, $insert)
or die ("Couldn't execute query.");

Open in new window

0
 
hieloCommented:
>>Is there any difference between mysqli_real_escape_string and mysql_real_escape_string?
They are meant to serve the same purpose.

If you are interested in the differences, refer to:
http://www.johnjawed.com/benchmarks/

>>why did my INSERT statement work
Because the syntax is perfectly valid. What you got is a "Warning" not an "Error". If you get a "Warning" you get the annoying messages you got, but execution of the script does NOT stop.


$cxn = mysqli_connect($host,$user,$password,$database)
or die ("couldn't connect to server");
 
$first_name = mysqli_real_escape_string(trim($_POST['first_name']), $cxn);
 
$last_name = mysqli_real_escape_string(trim($_POST['last_name']), $cxn);
...

Open in new window

0
Cloud Class® Course: C++ 11 Fundamentals

This course will introduce you to C++ 11 and teach you about syntax fundamentals.

 
hieloCommented:
sorry, the connection resource goes first in mysqli_real_escape_string:

$cxn = mysqli_connect($host,$user,$password,$database)
or die ("couldn't connect to server");
 
$first_name = mysqli_real_escape_string($cxn, trim($_POST['first_name']));
 
$last_name = mysqli_real_escape_string($cxn, trim($_POST['last_name']));
...
0
 
NerdsOfTechTechnology ScientistCommented:
There is a difference as mysqli_real_escape_string has (2) TWO REQUIRED PARAMETERS
SYNTAX:
string mysqli_real_escape_string  ( mysqli $link  , string $escapestr  )

mysql_real_escape_string has just (1) ONE REQUIRED PARAMETER:
string mysql_real_escape_string  ( string $unescaped_string  [, resource $link_identifier  ] )

Since you are using a procedural syntax you will need to use the latter, mysql_real_escape_string, in this case.

=NerdsOfTech
$first_name = mysql_real_escape_string(trim($_POST['first_name']));
 
$last_name = mysql_real_escape_string(trim($_POST['last_name']));
 
$text = $_POST['bio'];
$textBr = nl2br($text);
$finaltext = mysql_real_escape_string($textBr);
 
$city = mysql_real_escape_string($_POST[city]);
 
$query = "UPDATE winners SET first_name='$first_name',
last_name='$last_name', 
email='$_POST[email]',
state='$_POST[state]', 
winner_type='$_POST[winner_type]',
bio = '$finaltext',
radio_id = '$_POST[radio_id]', 
image_file = '$_POST[image_file]',
mp3_file = '$_POST[mp3_file]', 
city = '$city', 
press_release = '$_POST[press_release]',
region = '$_POST[region]' 
WHERE id = '$_POST[id]'";
 
$result = mysqli_query($cxn, $query)
or die ("Couldn't execute query.");

Open in new window

0
 
brucegustPHP DeveloperAuthor Commented:
OK, it's as clear as mud right now and it ain't for lack of trying...

hielo, it appear as though you made a change between your first and second posts. You begin your second post by saying that the connection resource needs to be positioned first. Yet, when I look at your code, I don't see any difference. It seems as though the connection resource is first in both instances.

NerdsOfTech - Is there no way to write an UPDATE statement using mysqli? I want to learn WHY something works and not just WHAT and that's one of the reasons I appreciate both you ninjas weighing in on this stuff because you offer not just a solution, but some commentary as well. My thing is, I want to use mysqli. Can you show me how to make it work in that context?
0
 
hieloCommented:
>>Yet, when I look at your code, I don't see any difference.
Then maybe it is your lack of sleep. $cxn is your connection resource.
My mistake on  ID: 22919182:
$first_name = mysqli_real_escape_string( trim(...),  $cxn);

The corrected version follows that:
$first_name = mysqli_real_escape_string( $cxn, trim(...) );

Notice that the position of $cxn changed!
0
 
brucegustPHP DeveloperAuthor Commented:
It's my browser. I didn't notice until you pointed it out that there was more to the code that I initally saw in the "box" where you published your suggestion. I got it now...
0
 
hieloCommented:
glad to help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now