i trying make basic cms, following tutorial here:cms tut
in article.php, uses mysql_escape_string($order) pdo connection, removed php 7, changed mysqli_escape_string($order) , proceedes somehow gives errors 2 parameters. new php, searched, think problem pdo connection, cannot put connection second argument. thoughts , ideas? in advance.
here code:
public static function getlist( $numrows=1000000, $order="publicationdate desc" ) { $conn = new pdo( db_dsn, db_username, db_password ); $sql = "select sql_calc_found_rows *, unix_timestamp(publicationdate) publicationdate articles order " . mysqli_escape_string($order) . " limit :numrows"; $st = $conn->prepare( $sql ); $st->bindvalue( ":numrows", $numrows, pdo::param_int ); $st->execute(); $list = array(); while ( $row = $st->fetch() ) { $article = new article( $row ); $list[] = $article; } // total number of articles matched criteria $sql = "select found_rows() totalrows"; $totalrows = $conn->query( $sql )->fetch(); $conn = null; return ( array ( "results" => $list, "totalrows" => $totalrows[0] ) ); }
after updating code, creating mysqli connection, in browser there , error: mysqli_connect(): (hy000/2002): php_network_getaddresses: getaddrinfo failed: no such host known.
and in server error log this: call member function real_escape_string() on boolean
the update code is:
public static function getlist( $numrows=1000000, $order="publicationdate desc" ) { $conn = new pdo( db_dsn, db_username, db_password ); $link = mysqli_connect(db_username, db_password, db_dsn); $sql = "select sql_calc_found_rows *, unix_timestamp(publicationdate) publicationdate articles order " . $link->real_escape_string($order) . " limit :numrows"; $st = $conn->prepare( $sql ); $st->bindvalue( ":numrows", $numrows, pdo::param_int ); $st->execute(); $list = array(); while ( $row = $st->fetch() ) { $article = new article( $row ); $list[] = $article; } // total number of articles matched criteria $sql = "select found_rows() totalrows"; $totalrows = $conn->query( $sql )->fetch(); $conn = null; return ( array ( "results" => $list, "totalrows" => $totalrows[0] ) ); }
you need pick one of mysql_
, mysqli_
, pdo
(don't pick mysql_
).
you can't mix pdo
, mysqli_
.
you don't need use mysqli_escape_string
defend pdo against sql injection; has own methods (which using nubrows
!!).
see how can prevent sql injection in php? guidance on handling special characters pdo.
Comments
Post a Comment