What has caused this error message: mysqli_real_escape_string() expects 2 parameters.

I have my code attached.

I introduced, what I'm believing to be a better approach to an INSERT statment from the standpoint of security and SQL integrity. But just when I thought I had my act together, I get this error message:

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/hihatweb/public_html/Showdown/admin/winneredit.php on line

What have I done to result in this error?

FYI: The entire error message is:
Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/hihatweb/public_html/Showdown/admin/winneredit.php on line 15

I get that error at 15, 17 and 21. Basically it happens everytime I use the mysqli_real_escape_string.
$first_name = mysqli_real_escape_string(trim($_POST['first_name']));
 
$last_name = mysqli_real_escape_string(trim($_POST['last_name']));
 
$text = $_POST['bio'];
$textBr = nl2br($text);
$finaltext = mysqli_real_escape_string($textBr);
 
$city = mysqli_real_escape_string($_POST[city]);
 
$query = "UPDATE winners SET first_name='$first_name',
last_name='$last_name', 
email='$_POST[email]',
state='$_POST[state]', 
winner_type='$_POST[winner_type]',
bio = '$finaltext',
radio_id = '$_POST[radio_id]', 
image_file = '$_POST[image_file]',
mp3_file = '$_POST[mp3_file]', 
city = '$city', 
press_release = '$_POST[press_release]',
region = '$_POST[region]' 
WHERE id = '$_POST[id]'";
 
$result = mysqli_query($cxn, $query)
or die ("Couldn't execute query.");

Open in new window

brucegustPHP DeveloperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

hieloCommented:
you need to pass the connection resource/object as the second parameter -ex:
$conn = mysql_connect("localhost","username","password");
...
$first_name = mysql_real_escape_string(trim($_POST['first_name']), $conn);
0
brucegustPHP DeveloperAuthor Commented:
Is there any difference between mysqli_real_escape_string and mysql_real_escape_string?

Also, why did my INSERT statement work (I have that posted below)? I used the same format but didn't get an error?
$cxn = mysqli_connect($host,$user,$password,$database)
or die ("couldn't connect to server");
 
$first_name = mysqli_real_escape_string(trim($_POST['first_name']));
 
$last_name = mysqli_real_escape_string(trim($_POST['last_name']));
 
 
$text = $_POST['bio'];
$textBr = nl2br($text);
$finaltext = mysqli_real_escape_string($textBr);
 
$city = mysqli_real_escape_string($_POST[city]);
 
$insert = "insert into winners (first_name, last_name, email, state, bio, radio_id, image_file, mp3_file, city, press_release, region, winner_type)
values ('$first_name','$last_name', '$_POST[email]', '$_POST[State]', '$finaltext', '$_POST[radio_id]', '$_POST[image_file]', '$_POST[mp3_file]', '$city', '$_POST[press_release]', '$_POST[region]','$_POST[winner_type]')";
$insertexe = mysqli_query($cxn, $insert)
or die ("Couldn't execute query.");

Open in new window

0
hieloCommented:
>>Is there any difference between mysqli_real_escape_string and mysql_real_escape_string?
They are meant to serve the same purpose.

If you are interested in the differences, refer to:
http://www.johnjawed.com/benchmarks/

>>why did my INSERT statement work
Because the syntax is perfectly valid. What you got is a "Warning" not an "Error". If you get a "Warning" you get the annoying messages you got, but execution of the script does NOT stop.


$cxn = mysqli_connect($host,$user,$password,$database)
or die ("couldn't connect to server");
 
$first_name = mysqli_real_escape_string(trim($_POST['first_name']), $cxn);
 
$last_name = mysqli_real_escape_string(trim($_POST['last_name']), $cxn);
...

Open in new window

0
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

hieloCommented:
sorry, the connection resource goes first in mysqli_real_escape_string:

$cxn = mysqli_connect($host,$user,$password,$database)
or die ("couldn't connect to server");
 
$first_name = mysqli_real_escape_string($cxn, trim($_POST['first_name']));
 
$last_name = mysqli_real_escape_string($cxn, trim($_POST['last_name']));
...
0
NerdsOfTechTechnology ScientistCommented:
There is a difference as mysqli_real_escape_string has (2) TWO REQUIRED PARAMETERS
SYNTAX:
string mysqli_real_escape_string  ( mysqli $link  , string $escapestr  )

mysql_real_escape_string has just (1) ONE REQUIRED PARAMETER:
string mysql_real_escape_string  ( string $unescaped_string  [, resource $link_identifier  ] )

Since you are using a procedural syntax you will need to use the latter, mysql_real_escape_string, in this case.

=NerdsOfTech
$first_name = mysql_real_escape_string(trim($_POST['first_name']));
 
$last_name = mysql_real_escape_string(trim($_POST['last_name']));
 
$text = $_POST['bio'];
$textBr = nl2br($text);
$finaltext = mysql_real_escape_string($textBr);
 
$city = mysql_real_escape_string($_POST[city]);
 
$query = "UPDATE winners SET first_name='$first_name',
last_name='$last_name', 
email='$_POST[email]',
state='$_POST[state]', 
winner_type='$_POST[winner_type]',
bio = '$finaltext',
radio_id = '$_POST[radio_id]', 
image_file = '$_POST[image_file]',
mp3_file = '$_POST[mp3_file]', 
city = '$city', 
press_release = '$_POST[press_release]',
region = '$_POST[region]' 
WHERE id = '$_POST[id]'";
 
$result = mysqli_query($cxn, $query)
or die ("Couldn't execute query.");

Open in new window

0
brucegustPHP DeveloperAuthor Commented:
OK, it's as clear as mud right now and it ain't for lack of trying...

hielo, it appear as though you made a change between your first and second posts. You begin your second post by saying that the connection resource needs to be positioned first. Yet, when I look at your code, I don't see any difference. It seems as though the connection resource is first in both instances.

NerdsOfTech - Is there no way to write an UPDATE statement using mysqli? I want to learn WHY something works and not just WHAT and that's one of the reasons I appreciate both you ninjas weighing in on this stuff because you offer not just a solution, but some commentary as well. My thing is, I want to use mysqli. Can you show me how to make it work in that context?
0
hieloCommented:
>>Yet, when I look at your code, I don't see any difference.
Then maybe it is your lack of sleep. $cxn is your connection resource.
My mistake on  ID: 22919182:
$first_name = mysqli_real_escape_string( trim(...),  $cxn);

The corrected version follows that:
$first_name = mysqli_real_escape_string( $cxn, trim(...) );

Notice that the position of $cxn changed!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
brucegustPHP DeveloperAuthor Commented:
It's my browser. I didn't notice until you pointed it out that there was more to the code that I initally saw in the "box" where you published your suggestion. I got it now...
0
hieloCommented:
glad to help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.