Link to home
Start Free TrialLog in
Avatar of Bruce Gust
Bruce GustFlag for United States of America

asked on

What has caused this error message: mysqli_real_escape_string() expects 2 parameters.

I have my code attached.

I introduced, what I'm believing to be a better approach to an INSERT statment from the standpoint of security and SQL integrity. But just when I thought I had my act together, I get this error message:

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/hihatweb/public_html/Showdown/admin/winneredit.php on line

What have I done to result in this error?

FYI: The entire error message is:
Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /home/hihatweb/public_html/Showdown/admin/winneredit.php on line 15

I get that error at 15, 17 and 21. Basically it happens everytime I use the mysqli_real_escape_string.
$first_name = mysqli_real_escape_string(trim($_POST['first_name']));
 
$last_name = mysqli_real_escape_string(trim($_POST['last_name']));
 
$text = $_POST['bio'];
$textBr = nl2br($text);
$finaltext = mysqli_real_escape_string($textBr);
 
$city = mysqli_real_escape_string($_POST[city]);
 
$query = "UPDATE winners SET first_name='$first_name',
last_name='$last_name', 
email='$_POST[email]',
state='$_POST[state]', 
winner_type='$_POST[winner_type]',
bio = '$finaltext',
radio_id = '$_POST[radio_id]', 
image_file = '$_POST[image_file]',
mp3_file = '$_POST[mp3_file]', 
city = '$city', 
press_release = '$_POST[press_release]',
region = '$_POST[region]' 
WHERE id = '$_POST[id]'";
 
$result = mysqli_query($cxn, $query)
or die ("Couldn't execute query.");

Open in new window

Avatar of hielo
hielo
Flag of Wallis and Futuna image
you need to pass the connection resource/object as the second parameter -ex:
$conn = mysql_connect("localhost","username","password");
...
$first_name = mysql_real_escape_string(trim($_POST['first_name']), $conn);
Avatar of Bruce Gust
Bruce Gust
Flag of United States of America image

ASKER

Is there any difference between mysqli_real_escape_string and mysql_real_escape_string?

Also, why did my INSERT statement work (I have that posted below)? I used the same format but didn't get an error?
$cxn = mysqli_connect($host,$user,$password,$database)
or die ("couldn't connect to server");
 
$first_name = mysqli_real_escape_string(trim($_POST['first_name']));
 
$last_name = mysqli_real_escape_string(trim($_POST['last_name']));
 
 
$text = $_POST['bio'];
$textBr = nl2br($text);
$finaltext = mysqli_real_escape_string($textBr);
 
$city = mysqli_real_escape_string($_POST[city]);
 
$insert = "insert into winners (first_name, last_name, email, state, bio, radio_id, image_file, mp3_file, city, press_release, region, winner_type)
values ('$first_name','$last_name', '$_POST[email]', '$_POST[State]', '$finaltext', '$_POST[radio_id]', '$_POST[image_file]', '$_POST[mp3_file]', '$city', '$_POST[press_release]', '$_POST[region]','$_POST[winner_type]')";
$insertexe = mysqli_query($cxn, $insert)
or die ("Couldn't execute query.");

Open in new window

Avatar of hielo
hielo
Flag of Wallis and Futuna image
>>Is there any difference between mysqli_real_escape_string and mysql_real_escape_string?
They are meant to serve the same purpose.

If you are interested in the differences, refer to:
http://www.johnjawed.com/benchmarks/

>>why did my INSERT statement work
Because the syntax is perfectly valid. What you got is a "Warning" not an "Error". If you get a "Warning" you get the annoying messages you got, but execution of the script does NOT stop.


$cxn = mysqli_connect($host,$user,$password,$database)
or die ("couldn't connect to server");
 
$first_name = mysqli_real_escape_string(trim($_POST['first_name']), $cxn);
 
$last_name = mysqli_real_escape_string(trim($_POST['last_name']), $cxn);
...

Open in new window

Avatar of hielo
hielo
Flag of Wallis and Futuna image
sorry, the connection resource goes first in mysqli_real_escape_string:

$cxn = mysqli_connect($host,$user,$password,$database)
or die ("couldn't connect to server");
 
$first_name = mysqli_real_escape_string($cxn, trim($_POST['first_name']));
 
$last_name = mysqli_real_escape_string($cxn, trim($_POST['last_name']));
...
SOLUTION
Avatar of NerdsOfTech
NerdsOfTech
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Bruce Gust
Bruce Gust
Flag of United States of America image

ASKER

OK, it's as clear as mud right now and it ain't for lack of trying...

hielo, it appear as though you made a change between your first and second posts. You begin your second post by saying that the connection resource needs to be positioned first. Yet, when I look at your code, I don't see any difference. It seems as though the connection resource is first in both instances.

NerdsOfTech - Is there no way to write an UPDATE statement using mysqli? I want to learn WHY something works and not just WHAT and that's one of the reasons I appreciate both you ninjas weighing in on this stuff because you offer not just a solution, but some commentary as well. My thing is, I want to use mysqli. Can you show me how to make it work in that context?
ASKER CERTIFIED SOLUTION
Avatar of hielo
hielo
Flag of Wallis and Futuna image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Bruce Gust
Bruce Gust
Flag of United States of America image

ASKER

It's my browser. I didn't notice until you pointed it out that there was more to the code that I initally saw in the "box" where you published your suggestion. I got it now...
Avatar of hielo
hielo
Flag of Wallis and Futuna image
glad to help