Databases
StackOverflow2013
Postsdbo
POmysqli_real_escape and mysqli prepare both turn variable null?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POmysqli_real_escape and mysqli prepare both turn variable null?
    primarykey
    data
    text
    <p>I have been trying to secure my code for a few days since reading about mysql injection. The trouble I am having is that when I edit my code to add mysqli_real_escape_string it changes the variable I am trying to insert into the database to null.</p> <p>So no problem I thought, I can just go a step further and use a prepared statement instead. Only problem is, that is changing all the POST variables to null. Not sure what to do. both of the codes below run without error except that the first enters everything into the database except $escapecomment and the second insert NOTHING into the database. </p> <p>I have looked around quite a bit but when searching the problems others have had and corrected don't seem to be the problem I have. I am 100% sure that the variables have a value as when I remove $escapecomment = mysqli_real_escape_string($_POST['comment']); and just make the Value $_POST['comment'] instead of $escapecomment it works perfectly but obviously, is not very secure. Thanks for your time and knowledge.</p> <p>First code with mysqli_real_escape_string</p> <pre><code>$con=mysqli_connect($host,$username,$password,$dbname); if (mysqli_connect_errno()) { mysqli_connect_error(); } $escapecomment = mysqli_real_escape_string($_POST['comment']); $sql="INSERT INTO comments (cid, username, comment) VALUES ('$_POST[cid]','$_POST[username]','$escapecomment')"; if (!mysqli_query($con,$sql)) { die('Error: ' . mysqli_error()); } mysqli_close($con); </code></pre> <p>Second code where I use prepared statements instead</p> <pre><code>$con=mysqli_connect($host,$username,$password,$dbname); // Check connection if (mysqli_connect_errno()) { mysqli_connect_error(); } /* Create the prepared statement */ if ($stmt = $con-&gt;prepare("INSERT INTO comments (cid, username, comment) values (?, ?, ?)")) { /* Bind our params */ $stmt-&gt;bind_param('iss', $ccid, $cusername, $ccomment); /* Set our params */ $ccid = $_POST[cid]; $cusername = $_POST_['username']; $ccomment = $_POST['comment']; /* Execute the prepared Statement */ $stmt-&gt;execute();} $stmt-&gt;close(); </code></pre> <p>Any thoughts? Thank you</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USButterDog
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POmysqli_real_escape and mysqli prepare both turn variable null?
      1. This table or related slice is empty.
      1. VTClose
    2. VO
      singulars
      1. POmysqli_real_escape and mysqli prepare both turn variable null?
      1. This table or related slice is empty.
      1. VTClose
    3. VO
      singulars
      1. POmysqli_real_escape and mysqli prepare both turn variable null?
      1. This table or related slice is empty.
      1. VTClose
    1. COWhy aren't you escaping `$_POST['cid']` and `$_POST['username']` before using these values in the query?
      singulars
      1. POmysqli_real_escape and mysqli prepare both turn variable null?
      1. USJocelyn
    2. COYou're using `bind_param` with variables before you've defined the variables. (and also the $cusername variable is looking for $_POST_ - there's a redundant underscore at the end)
      singulars
      1. POmysqli_real_escape and mysqli prepare both turn variable null?
      1. USandrewsi
    3. CO@Jocelyn I am not escaping because that data is not set by the user it is already set and sent to POST from a hidden form field
      singulars
      1. POmysqli_real_escape and mysqli prepare both turn variable null?
      1. USButterDog
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload