Problem with mysqli_real_escape_string

I’m trying to use mysqli_real_escape_string in some code to add values into a MySQL table, but for some reason anything wrapped in mysqli_real_escape_string isn’t entered into the table at all (other data is fine and the query works). I was trying to figure why. I heard that a “magic quotes” setting on the hosting server might be the reason but wanted to know what else might be possibly causing this.

This is an example of data being taken from the input form and added to the DB:

$address = mysqli_real_escape_string(@$_POST[‘_Address’]);

If I take it out, it works fine- like this:

$address = @$_POST[‘_Address’];

However I want to use some sort of function to check the data as a security measure. Is there an equivalent function I can use instead?

Otherwise I will try and get hold of the server hosts and see if they can enable this.

Well, I got it to work like this:

$address = $mysqli->real_escape_string($_POST['_Address]);

Seems to do the job…

The POST array is $_POST

Why are you trying to do that?

You should be using prepare and bind statements for your database calls and then escaping the data is completely unnecessary and just breaks the data.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.