Jump to content

What's wrong with this syntax?


eMonk

Recommended Posts

$height = trim(htmlentities(mysqli_real_escape_string($db,$_POST['height'],ENT_QUOTES)));

 

Here's the error message I'm getting:

 

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 3 given

 

I just added in the htmlentities and ENT_QUOTES to the line but not sure how to format it. Any ideas?

 

Link to comment
Share on other sites

$height = trim(htmlentities(mysqli_real_escape_string($db,$_POST['height'],ENT_QUOTES)));

$height = trim(htmlentities(mysqli_real_escape_string($db,$_POST['height']), ENT_QUOTES));

 

There's no need to fit everything onto one line. Split it up, it makes the code more readable:

 

$height = trim($_POST['height']);
$height = mysqli_real_escape_string($db, $height);

 

I actually left out htmlentities(), as this is something you should do as you output user input, not prepare it for saving to a database.

Link to comment
Share on other sites

Why "ugly"? I mean, I use htmlspecialchars() myself generally, but htmlentities() just encodes more characters. When escaping user input the idea is you have little to no HTML anyway, so it's not exactly ugly but just more than necessary.

Link to comment
Share on other sites

Ugly is mostly cosmetic in this case. The important reason is not having to deal with character encoding, assuming ISO-8859-1, ISO-8859-15, UTF-8, cp866, cp1251, cp1252, or KOI8-R

 

The following

<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
<?php 

$phrase = "Mon collègue a étudié à <b>l'hôpital</b>. Il est un garçon <i>naïf</i>";

echo 'entities: '. htmlentities( $phrase, ENT_COMPAT, 'UTF-8' ) . "\n";
echo 'specialchars: '. htmlspecialchars( $phrase );

?>

Outputs

<meta http-equiv="Content-Type" content="text/html;charset=utf-8" >
entities: Mon collègue a étudié à <b>l'hôpital</b>. Il est un garçon <i>naïf</i>
specialchars: Mon collègue a étudié à <b>l'hôpital</b>. Il est un garçon <i>naïf</i>

 

Both output the same on the page. You're adding extra parsing, and extra data to send to the client with no advantage. On top of that, you have to specify your character set if you want to use UTF-8.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.