0

I have tried endless variations of mysqli_real_escape_string() to insert a simple array in a column ni one of my tables. The contents of the column is blank everytime.

Can anyone see anything wrong with this query?

$accessRights = array(
  'S-01' => 'Y',
  'S-02' => 'Y',
);
$accessRights = serialize( $accessRights );

mysqli_query( $GLOBALS['db_link'], 'SET NAMES "utf8"' ); // to ensure proper encoding of special characters
$query_string = '
  UPDATE users_accessRights
  SET
    accessRights = "' . mysqli_real_escape_string( $accessRights ) . '"
  WHERE userID = "' . $_POST['userID'] . '"
  LIMIT 1
';
mysqli_query( $GLOBALS['db_link'], $query_string ) or die( mysqli_error( $GLOBALS['db_link'] ) );

Note: I can use this query to insert a simple text string into the table, so I know the query itself works.

Improve this question
2
  • 1
    Why not save yourself all this trouble and use a prepared statement with bound parameters? Also, you should use mysqli_set_charset() instead of the SET NAMES query Commented Nov 2, 2015 at 0:03
  • 1
    Terrific @Phil - I like saving myself trouble... Now the question is what does your suggestion mean and how do I go about doing that? Commented Nov 2, 2015 at 0:07

1 Answer 1

Reset to default
2

It seems to me that you do not have sufficient error reporting enabled to have noticed a syntax error in your code. mysqli_real_escape_string() requires two arguments, not one. You should make sure your development environment's php.ini has the following entries set

error_reporting = E_ALL
display_errors = On

Alternatively, place this at the top of your script but remove it for production

ini_set('display_errors', 'On');
error_reporting(E_ALL);

A better way to create queries with variable / user input is prepared statements. For example

// set mysqli to throw exceptions so you don't have to check return
// values for false or use "or die"
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

$mysqli = $GLOBALS['db_link']; // I suggest you avoid using globals like this ASAP

$mysqli->set_charset('utf8');

$stmt = $mysqli->prepare(
    'UPDATE users_accessRights SET accessRights = ? WHERE userID = ? LIMIT 1');
$stmt->bind_param('si', $accessRights, $_POST['userID']);
$stmt->execute();

This assumes that userID is an integer field.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Nice, I'll give it a try -- thanks @Phil...(and yes, userID is an integer -- key field)
@H.Ferrence cool, that's what the "i" in "si" is for (the "s" being for "string"). Let me know how you go and make sure you read that prepared statement quickstart guide for a deeper understanding.
Thanks @Phil. I got it to work via mysqli_real_escape_string( $GLOBALS['db_link'], $accessRights ). I need to look into Prepared Statements and begun to understand that method. Thanks for the help and the tip.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.