tags:

views:

275

answers:

3
Q: 

MySQL PHP mysql_real_escape_string() - is this value not a string?

I am trying to update a record with the info from a multiple select box, I had it working fine when I was using INSERT INTO to add a new row, but now that I am trying to add it to this code that is using mysql_real_escape_string() it is returning the error message at the bottom of this post. I presume it has something wrong with the value I'm trying to pass into it, but I don't know how to format it to make PHP happy!

 $query = "UPDATE studies
            SET strategies = '" . mysql_real_escape_string($strategies) . "' WHERE id = '" . mysql_real_escape_string($id) . "'"; 



while($row = mysql_fetch_array($result)) {
    $strategylist = $row['name'];
    $strategyname = htmlspecialchars($row['name']);
$pagelink = str_replace(" ","_",$strategylist);

    echo '<option value="<a href=&quot;strategies.php?strategy=' . $pagelink . '&quot;>'.$strategyname.'</a>" >' . $strategyname . '</option>' . '\n';
}

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given on line 100 (that is the line above that starts SET strategies ='".....)

A: 

i think

$id is not string

mysql_real_escape_string($id)
Haim Evgi  2009-07-01 12:34:47
A: 

It is complaining that $strategies/$id is an array and should be a string.

clinisbut  2009-07-01 12:35:42
+3  A: 

Looks like $strategies is an array rather than a string. Since you have a multi-select box, if they select multiple items, $strategies will come back as an array.

It comes down to how you want to store multiple selections in that single database column. If you just want to append the selections together into one big string, then use implode():

// Sets strategies to a comma-separated list of selected strategies.
$query = "UPDATE studies
          SET strategies = '" . 
          mysql_real_escape_string(is_array($strategies) ? implode(',', $strategies) : $strategies) . "'
          WHERE id = '" . mysql_real_escape_string($id) . "'";

ETA:

As an aside, what you are doing here looks really scary. You have an html link for a value on a select box option, which you are then storing in the database (presumably to display later?).

This is really opening yourself up for a trivial XSS attack where somebody submits a fake form with their own options containing links to an attack site, which you happily store in your DB and display later on your site.

Store an ID (or list of ids in your case) or something in your database, then build the links later when you need to display them.

Eric Petroelje  2009-07-01 12:39:13

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL