[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1138
  • Last Modified:

What has caused this error message: mysqli_real_escape_string() expects 2 parameters.

I have my code attached.

I introduced, what I'm believing to be a better approach to an INSERT statment from the standpoint of security and SQL integrity. But just when I thought I had my act together, I get this error message:

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/hihatweb/public_html/Showdown/admin/winneredit.php on line

What have I done to result in this error?

FYI: The entire error message is:
Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/hihatweb/public_html/Showdown/admin/winneredit.php on line 15

I get that error at 15, 17 and 21. Basically it happens everytime I use the mysqli_real_escape_string.
$first_name = mysqli_real_escape_string(trim($_POST['first_name']));
 
$last_name = mysqli_real_escape_string(trim($_POST['last_name']));
 
$text = $_POST['bio'];
$textBr = nl2br($text);
$finaltext = mysqli_real_escape_string($textBr);
 
$city = mysqli_real_escape_string($_POST[city]);
 
$query = "UPDATE winners SET first_name='$first_name',
last_name='$last_name', 
email='$_POST[email]',
state='$_POST[state]', 
winner_type='$_POST[winner_type]',
bio = '$finaltext',
radio_id = '$_POST[radio_id]', 
image_file = '$_POST[image_file]',
mp3_file = '$_POST[mp3_file]', 
city = '$city', 
press_release = '$_POST[press_release]',
region = '$_POST[region]' 
WHERE id = '$_POST[id]'";
 
$result = mysqli_query($cxn, $query)
or die ("Couldn't execute query.");

Open in new window

0
brucegust
Asked:
brucegust
  • 5
  • 3
2 Solutions
 
hieloCommented:
you need to pass the connection resource/object as the second parameter -ex:
$conn = mysql_connect("localhost","username","password");
...
$first_name = mysql_real_escape_string(trim($_POST['first_name']), $conn);
0
 
brucegustAuthor Commented:
Is there any difference between mysqli_real_escape_string and mysql_real_escape_string?

Also, why did my INSERT statement work (I have that posted below)? I used the same format but didn't get an error?
$cxn = mysqli_connect($host,$user,$password,$database)
or die ("couldn't connect to server");
 
$first_name = mysqli_real_escape_string(trim($_POST['first_name']));
 
$last_name = mysqli_real_escape_string(trim($_POST['last_name']));
 
 
$text = $_POST['bio'];
$textBr = nl2br($text);
$finaltext = mysqli_real_escape_string($textBr);
 
$city = mysqli_real_escape_string($_POST[city]);
 
$insert = "insert into winners (first_name, last_name, email, state, bio, radio_id, image_file, mp3_file, city, press_release, region, winner_type)
values ('$first_name','$last_name', '$_POST[email]', '$_POST[State]', '$finaltext', '$_POST[radio_id]', '$_POST[image_file]', '$_POST[mp3_file]', '$city', '$_POST[press_release]', '$_POST[region]','$_POST[winner_type]')";
$insertexe = mysqli_query($cxn, $insert)
or die ("Couldn't execute query.");

Open in new window

0
 
hieloCommented:
>>Is there any difference between mysqli_real_escape_string and mysql_real_escape_string?
They are meant to serve the same purpose.

If you are interested in the differences, refer to:
http://www.johnjawed.com/benchmarks/

>>why did my INSERT statement work
Because the syntax is perfectly valid. What you got is a "Warning" not an "Error". If you get a "Warning" you get the annoying messages you got, but execution of the script does NOT stop.


$cxn = mysqli_connect($host,$user,$password,$database)
or die ("couldn't connect to server");
 
$first_name = mysqli_real_escape_string(trim($_POST['first_name']), $cxn);
 
$last_name = mysqli_real_escape_string(trim($_POST['last_name']), $cxn);
...

Open in new window

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
hieloCommented:
sorry, the connection resource goes first in mysqli_real_escape_string:

$cxn = mysqli_connect($host,$user,$password,$database)
or die ("couldn't connect to server");
 
$first_name = mysqli_real_escape_string($cxn, trim($_POST['first_name']));
 
$last_name = mysqli_real_escape_string($cxn, trim($_POST['last_name']));
...
0
 
NerdsOfTechTechnology ScientistCommented:
There is a difference as mysqli_real_escape_string has (2) TWO REQUIRED PARAMETERS
SYNTAX:
string mysqli_real_escape_string  ( mysqli $link  , string $escapestr  )

mysql_real_escape_string has just (1) ONE REQUIRED PARAMETER:
string mysql_real_escape_string  ( string $unescaped_string  [, resource $link_identifier  ] )

Since you are using a procedural syntax you will need to use the latter, mysql_real_escape_string, in this case.

=NerdsOfTech
$first_name = mysql_real_escape_string(trim($_POST['first_name']));
 
$last_name = mysql_real_escape_string(trim($_POST['last_name']));
 
$text = $_POST['bio'];
$textBr = nl2br($text);
$finaltext = mysql_real_escape_string($textBr);
 
$city = mysql_real_escape_string($_POST[city]);
 
$query = "UPDATE winners SET first_name='$first_name',
last_name='$last_name', 
email='$_POST[email]',
state='$_POST[state]', 
winner_type='$_POST[winner_type]',
bio = '$finaltext',
radio_id = '$_POST[radio_id]', 
image_file = '$_POST[image_file]',
mp3_file = '$_POST[mp3_file]', 
city = '$city', 
press_release = '$_POST[press_release]',
region = '$_POST[region]' 
WHERE id = '$_POST[id]'";
 
$result = mysqli_query($cxn, $query)
or die ("Couldn't execute query.");

Open in new window

0
 
brucegustAuthor Commented:
OK, it's as clear as mud right now and it ain't for lack of trying...

hielo, it appear as though you made a change between your first and second posts. You begin your second post by saying that the connection resource needs to be positioned first. Yet, when I look at your code, I don't see any difference. It seems as though the connection resource is first in both instances.

NerdsOfTech - Is there no way to write an UPDATE statement using mysqli? I want to learn WHY something works and not just WHAT and that's one of the reasons I appreciate both you ninjas weighing in on this stuff because you offer not just a solution, but some commentary as well. My thing is, I want to use mysqli. Can you show me how to make it work in that context?
0
 
hieloCommented:
>>Yet, when I look at your code, I don't see any difference.
Then maybe it is your lack of sleep. $cxn is your connection resource.
My mistake on  ID: 22919182:
$first_name = mysqli_real_escape_string( trim(...),  $cxn);

The corrected version follows that:
$first_name = mysqli_real_escape_string( $cxn, trim(...) );

Notice that the position of $cxn changed!
0
 
brucegustAuthor Commented:
It's my browser. I didn't notice until you pointed it out that there was more to the code that I initally saw in the "box" where you published your suggestion. I got it now...
0
 
hieloCommented:
glad to help
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now