Warning: MySQLi_Real_Escape_String() Expects Exactly 2 Parameters, 1 Given... What I Do Wrong

  • Home
  • Languages
  • PHP
  • Warning: MySQLi_Real_Escape_String() Expects Exactly 2 Parameters, 1 Given... What I Do Wrong

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given... what I do wrong?

You are mixing mysqli and mysql function.

If your are using mysql function then instead mysqli_real_escape_string($your_variable); use

$username = mysql_real_escape_string($_POST['username']);
$pass = mysql_real_escape_string($_POST['pass']);
$pass1 = mysql_real_escape_string($_POST['pass1']);
$email = mysql_real_escape_string($_POST['email']);

If your using mysqli_* function then you have to include your connection to database into mysqli_real_escape function :

$username = mysqli_real_escape_string($your_connection, $_POST['username']);
$pass = mysqli_real_escape_string($your_connection, $_POST['pass']);
$pass1 = mysqli_real_escape_string($your_connection, $_POST['pass1']);
$email = mysqli_real_escape_string($your_connection, $_POST['email']);

Note : Use mysqli_* function since mysql has been deprecated. For information please read mysqli_*

mysqli_real_escape_string() expects exactly 2 parameters, 1 given

Documentation says it needs two parameters:

string mysqli_real_escape_string ( mysqli $link , string $escapestr )

The first one is a link for a mysqli instance, the second one is the string to escape.

Php 5.4 to 7.1 : Mysqli_real_escape_string() 2 parameters, 1 given in

magic_quotes_gpc is deprecated as of PHP 5.3 and removed as of PHP 5.4 ... so your check here is useless ... And keep in mind that your connection string isn't visible inside the function, You'll either have to accept it as an argument or use global keyword which isn't a good solution.

Accepting as an arugment:

function cG($con, $name){
    $name=mysqli_real_escape_string($con, $_GET[$name]);
    return $name;
}

cG($con, 'something');

or using global keyword:

function cG($name){
    global $con;
    $name=mysqli_real_escape_string($con, $_GET[$name]);
    return $name;
}

Passing special characters to a mysql database with php

You're heavily mixing object oriented functions and procedural functions which will not work. I've converted your full example to an object oriented approach below:

<?php    
    $servername = "localhost";
    $username = "root";
    $password = "";  
    $dbname = "dbname";

    $conn = new mysqli($servername, $username, $password, $dbname);

    if ($_SERVER['REQUEST_METHOD'] == 'POST') {
        $name = $conn->real_escape_string(strtolower($_POST['name'])); 
        $header = strtolower($_POST['header']);
        $address = strtolower($_POST['address']);
        $city = strtolower($_POST['city']);    
        $county = strtolower($_POST['county']);
        $post = strtolower($_POST['post']);
        $tele = strtolower($_POST['tele']);    
        $mob = strtolower($_POST['mob']);    
        $email = strtolower($_POST['email']);    
        $web = strtolower($_POST['web']);

        $stmt = $conn->prepare("SELECT * FROM business_dir WHERE `name` = ?");
        $stmt->bind_param("s", $name);
        $stmt->execute();
        $stmt->store_result();

        $matchFound = $stmt->num_rows > 0 ? TRUE : FALSE;

        // Close the prepared statement
        $stmt->close();

        if ($matchFound === FALSE) {  
            $stmt = $conn->prepare("INSERT INTO business_dir (`name`, `header`, `address`, `city`, `county`, `post`, `tele`, `mob`, `email`, `web`) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
            $stmt->bind_param("ssssssssss", $name, $header, $address, $city, $county, $post, $tele, $mob, $email, $web);

            if ($stmt->execute() == TRUE) {
                echo '<div class="alert alert-success text-center" style="margin:20px;" role="alert">Business Succesfully Added!</div>';              
            } else {
                echo '<div class="alert alert-danger text-center" style="margin:20px;" role="alert">Error: ' . $sql2 . "<br>" . $conn->error.'</div>';
            }

            $stmt->close();
        } else {
            echo '<div class="alert alert-danger text-center" style="margin:20px;" role="alert">Business Failed To Be Added, An Entry With The Same Name Already Exists!</div>';
        }
    }

    // Close the mysqli connection
    $conn->close();
?>

In addition, mysqli_real_escape_string() offers little protection against SQL Injection Attacks. As such, I've modified your example to use prepared statements for added security.

mysql_real_escape_string(): Access denied in DB insert

mysqli_real_escape_string() needs the database link as the first parameter, which is why it isn't working.

However, MediaWiki wants us to avoid direct queries, so it has the $dbw->insert() method instead, one of several wrapper functions.

Use something like this:

function Lookup_addLookup ($url, $name, $group)
{
    $dbw = wfGetDB(DB_MASTER);

    $groupOrder = Lookup_getGroupOrder($group);
    $dbw->insert(
        Lookup_prefix()."lookups",
        array(
            'lu_name'  => $name,
            'lu_url'   => $url,
            'lu_group' => $group,
            'lu_order' => 1,
            'lu_group_order' => $groupOrder
        )
    );

    Lookup_reOrderGroups();
    return true;
}

And in the second example, use $dbw->update():

function Lookup_moveGroupUp($group)
{
    $dbw = wfGetDB(DB_MASTER);

    $dbw->update(
        Lookup_prefix()."lookups",
        array(
            "lu_group_order" => 0
        ),
        array(
            "lu_group" => $group
        )
    );

    Lookup_reOrderGroups();

    return true;
}

For more information and other SQL wrappers, read about the different wrapper functions and their documentation.

Issue with mysql_real_escape_string()

Putting mysql_real_escape_string() after you connect to the db will work fine.

However, you should shift to mysqli or PDO. MySQL is deprecated now.
A few links to help you out

  1. Moving from mysql to mysqli or pdo?
  2. mysqli or PDO - what are the pros and cons?

The equivalent commands in mysqli and PDO for escaping would be mysqli_real_escape_string() and PDO::quote() respectively.

As people are pointing out, PDO is definitely the better alternative. Here is an answer I previously wrote comparing PDO with others.

PDO - real facts and best practice?

And another advantage of this will be that you don't need to use escaping functions if you use prepared statements with named parameters.


Related Topics

PHP - Most Lightweight Psr-0 Compliant Autoloader

Prevent Direct Access to a PHP Page

Making a Http Get Request with Http-Basic Authentication

Grouping Arrays in PHP

Group Array Values Based on Key in PHP

PHP Soap Client for Uk Mail Webservice API

How to Store JavaScript Variable Output into a PHP Variable

How to Get User Agent in PHP

How to Declare a Method Static and Nonstatic in PHP

Laravel Pluck Fields from Relations

Use a Variable Within Heredoc in PHP

Using Array_Intersect on a Multi-Dimensional Array

Header("Content-Type: Text/Css"); Is Working in Firefox and Chrome, But in Internet Explorer 9 It Shows Up as 'Text/Html'

How to Use File_Get_Contents() to Compare Two Files

How Would I Stop This Foreach Loop After 3 Iterations

Using SQLite3 in PHP How to Count the Number of Rows in a Result Set

How to Send Multiple Attachment in Single Mail in PHP

Woocommerce - How to Create Multiple Single Product Template Based on Category


Leave a reply



Submit