mysqli_real_escape_string() expects exactly 2 parameters in mysqli

PHP
1

I recieve this kind of error in php I just can figure out why it displays an error.

   Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\xampp\htdocs\cart\cart.php on line 139

        Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given in C:\xampp\htdocs\cart\cart.php on line 143

    Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in C:\xampp\htdocs\cart\cart.php on line 139

Warning: mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, boolean given in C:\xampp\htdocs\cart\cart.php on line 143

foreach($_SESSION as $name => $value){ //look to the each session. sa $name kay name sa session ug kanang $value kay sulod sa name or value sa $name e.g cart_1 = 3. $name=cart_1 and $value=3  || ang $value kay quantity na  
			if($value>0){
				//gikuha ang word the cart_
				if(substr($name, 0, 5)=='cart_'){
					$id=substr($name, 5, (strlen($name)-5)); //iremove ang word nga cart_ arun makuha ang id
					//echo $id.'<br />';
					$get = "SELECT id, product_name, price, quantity FROM products WHERE id=".mysqli_real_escape_string((int)$id);
					
					$result = mysqli_query($conn, $get);
					
					while($get_row=mysqli_fetch_assoc($result)){
						$sub = $get_row['price']*$value;
						$q = $get_row['quantity']-$value;
						echo $get_row['product_name'].' x '.$value.' @ &#8369;'.number_format($get_row['price'], 2).' = &#8369;'.number_format($sub, 2).' Remaining Stock: '.number_format($q).'<a href="cart.php?remove='.$id.'">[-]</a><a href="cart.php?add='.$id.'">[+]</a><a href="cart.php?delete='.$id.'">[Delete]</a><br />';

					}
				}
				$total=$total+$sub;
			}
		}

if(isset($_GET['add'])){
		
		// gamitan ug session arun maka add ka sa product
		
		$quantity = "SELECT id, quantity FROM products WHERE id=".mysqli_real_escape_string((int)$_GET['add']);
		
		$result = mysqli_query($conn, $quantity);
		
		while($quantity_row=mysqli_fetch_assoc($result)){
			//kung ang quantity kay napuno na 
			if ($quantity_row['quantity']!=$_SESSION['cart_'.(int)$_GET['add']]){
				$_SESSION['cart_'.(int)$_GET['add']]+='1';		
			}
		}
		//header('Location: '.$page);
	}
2

Well, the error message says

mysqli_real_escape_string() expects exactly 2 parameters, 1 given

The example code has

mysqli_real_escape_string((int)$id);
mysqli_real_escape_string((int)$_GET['add']);

int in parentheses is not a parameter

http://php.net/manual/en/mysqli.real-escape-string.php

3

It required a database resource as the first parameter. Of course no one uses it any more as by using prepare and bind the data can be kept separate and therefore doesn’t need to be escaped.

4

Please don’t make general statements like this. Of course, some people still use it as there are valid reasons to do so, especially when using mysqli where using prepared statements is pretty awkward and makes the code more complicated. There’s nothing wrong with using mysqli_real_escape_string() instead of prepared statements.

To the OP - in this particular case you don’t even need mysqli_real_escape_string() because you are casting the variable to integer therefore there’s no possibility of passing unsafe data. This is good enough:

$get = "SELECT id, product_name, price, quantity FROM products WHERE id=".(int) $id;

However, always use mysqli_real_escape_string() when the data may not be numeric - and don’t forget to add single quotes around the value:

$get = "SELECT id, product_name, price, quantity FROM products WHERE id='".mysqli_real_escape_string($id) . "'";
5

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.