Function clean($str) and MySQLi

amafreelancer · May 29, 2015, 9:32pm

I have this function on my old site. Trying to change things to the new MySQLi from MySQL. And this function have some MySQL code in it.

I tried to just replace it to mysqli_real_escape_string , but it’s not working

Not sure how to do this with MySQLi. Maybe someone have a solutions to this?

Code below:

//Function to sanitize values received from the form. Prevents SQL injection
	function clean($str) {
		$str = @trim($str);
		if(get_magic_quotes_gpc()) {
			$str = stripslashes($str);
		}
		return mysql_real_escape_string($str);
	}
	
	//Sanitize the POST values
	$name = clean($_POST['name']);

felgall · May 29, 2015, 9:42pm

With mysqli you simply keep the SQL and data separate by using a prepare statement for the SQL and a bind statement for the data.

You will of course still need to validate all inputs properly as well as you should already be doing in place of clean() - unless all of your database fields are allowed to contain any random character string as valid input.

amafreelancer · May 29, 2015, 9:51pm

Not sure I understand what you mean, I’m not very advanced programmer. Do you have an example with code like the above?

SpacePhoenix · May 30, 2015, 5:31am

http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

That’s the page from the PHP Manual about prepared statements for the MySQLi extension

amafreelancer · May 31, 2015, 7:05pm

Thanks for the info. I read it and it helped me change things

system · August 31, 2015, 2:10am

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.