1

I propose the following question ... I have to make sure that the following query also accept values ​​with the quotes inside .. I tried using mysqli_real_escape_string but it did not work .. I am attaching my attempts ..

1° Put the function during the post

        $idCantiere = $_POST["idCantiere"];
        $nomeCantiere = mysqli_real_escape_string($_POST["nomeCantiere"]);
        $sql = "INSERT INTO Cantiere( 
        idCantiere,
        nomeCantiere)
        VALUES(
       '$idCantiere',
       '$nomeCantiere')";
        if (mysqli_query($mysqli, $sql)) 
        {
        echo "<script type='text/javascript'>alert('Cantiere Inserto'); 
        </script>";
        } else
        {
         echo "Error: " . $sql . "" . mysqli_error($mysqli);
        }

2° Put the function during the query

 $idCantiere = $_POST["idCantiere"];
        $nomeCantiere = $_POST["nomeCantiere"];
        $sql = "INSERT INTO Cantiere( 
        idCantiere,
        nomeCantiere)
        VALUES(
       '$idCantiere',
       mysqli_real_escape_string('$nomeCantiere'))";
        if (mysqli_query($mysqli, $sql)) 
        {
        echo "<script type='text/javascript'>alert('Cantiere Inserto'); 
        </script>";
        } else
        {
         echo "Error: " . $sql . "" . mysqli_error($mysqli);
        }

How can I solve the problem?

Improve this question
3
  • 4
    The 2nd one makes no sense, you can not call functions “inside” a PHP string like that. What error do you get with the first one then? “How can I solve the problem?” – ideally, by forgetting that mysqli_real_escape_string even exists, and using prepared statements instead. Commented Mar 4, 2019 at 11:03
  • 4
    Learn how to use prepared statements - stackoverflow.com/questions/1290975/… Commented Mar 4, 2019 at 11:03
  • What is the error that you get? Commented Mar 4, 2019 at 11:05

5 Answers 5

Reset to default
3

Drop the mysqli_real_escape_string() and just use prepared statements which is simple and prevents sql injections.

<?php

    $idCantiere = isset($_POST['idCantiere']) ? $_POST['idCantiere'] : null;
    $nomeCantiere = isset($_POST['nomeCantiere']) ? $_POST['nomeCantiere'] : null;


        $sql = $mysqli->prepare("INSERT INTO Cantiere (idCantiere,nomeCantiere) VALUES(?.?)");
        $sql->bind_param("is",$idCantiere,$nomeCantiere);

        if($sql->execute()){

           //success message
        }else{

            //return error
        }


?>

A prepared statement is a feature used to execute the same (or similar) SQL statements repeatedly with high efficiency.

Prepared statements basically work like this:

Prepare: An SQL statement template is created and sent to the database. Certain values are left unspecified, called parameters (labeled "?"). Example: INSERT INTO MyGuests VALUES(?, ?, ?) The database parses, compiles, and performs query optimization on the SQL statement template, and stores the result without executing it Execute: At a later time, the application binds the values to the parameters, and the database executes the statement. The application may execute the statement as many times as it wants with different values Compared to executing SQL statements directly, prepared statements have three main advantages:

Prepared statements reduce parsing time as the preparation on the query is done only once (although the statement is executed multiple times) Bound parameters minimize bandwidth to the server as you need send only the parameters each time, and not the whole query Prepared statements are very useful against SQL injections, because parameter values, which are transmitted later using a different protocol, need not be correctly escaped. If the original statement template is not derived from external input, SQL injection cannot occur.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You are wrong to pass parameters to the mysqli_real_escape_string () function before inserting the post you must put the connection string with which you access the DB

$connection=mysqli_connect("localhost","USER","PASSWORD","DB");
$nomeCantiere= mysqli_real_escape_string($connection, $_POST['nomeCantiere']);

your second attempt is wrong reuses my line of code in the first .. during the post

Improve this answer

Comments

0

You have to pass the connection variable as first parameter Eg:

$con=mysqli_connect("localhost","my_user","my_password","my_db");
$age = mysqli_real_escape_string($con, $_POST['age']);

Checkout documentation for more detail. http://php.net/manual/en/mysqli.real-escape-string.php

Improve this answer

Comments

0

You can try to replace quote with php 

$nomeCantiere = $_POST["nomeCantiere"];
str_replace("'", "''", $nomeCantiere );

if you insert 2 quotes ( '' ) instead of one mysql will put that value in the table with only 1 quote

Improve this answer

Comments

0

You are missing one parameter in function mysqli_real_escape_string($con,$sql);

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.