mysql - mysqli vs msql and PDO connection -


i trying make basic cms, following tutorial here:cms tut

in article.php, uses mysql_escape_string($order) pdo connection, removed php 7, changed mysqli_escape_string($order) , proceedes somehow gives errors 2 parameters. new php, searched, think problem pdo connection, cannot put connection second argument. thoughts , ideas? in advance.

here code:

public static function getlist( $numrows=1000000, $order="publicationdate desc" ) {    $conn = new pdo( db_dsn, db_username, db_password );    $sql = "select sql_calc_found_rows *, unix_timestamp(publicationdate) publicationdate articles            order " . mysqli_escape_string($order) . " limit :numrows";     $st = $conn->prepare( $sql );    $st->bindvalue( ":numrows", $numrows, pdo::param_int );    $st->execute();    $list = array();     while ( $row = $st->fetch() ) {      $article = new article( $row );      $list[] = $article;    }     // total number of articles matched criteria    $sql = "select found_rows() totalrows";    $totalrows = $conn->query( $sql )->fetch();    $conn = null;    return ( array ( "results" => $list, "totalrows" => $totalrows[0] ) );  } 

after updating code, creating mysqli connection, in browser there , error: mysqli_connect(): (hy000/2002): php_network_getaddresses: getaddrinfo failed: no such host known.

and in server error log this: call member function real_escape_string() on boolean

the update code is:

public static function getlist( $numrows=1000000, $order="publicationdate desc" ) {    $conn = new pdo( db_dsn, db_username, db_password );    $link = mysqli_connect(db_username, db_password, db_dsn);     $sql = "select sql_calc_found_rows *, unix_timestamp(publicationdate) publicationdate articles            order " . $link->real_escape_string($order) . " limit :numrows";     $st = $conn->prepare( $sql );    $st->bindvalue( ":numrows", $numrows, pdo::param_int );    $st->execute();    $list = array();     while ( $row = $st->fetch() ) {      $article = new article( $row );      $list[] = $article;    }     // total number of articles matched criteria    $sql = "select found_rows() totalrows";    $totalrows = $conn->query( $sql )->fetch();    $conn = null;    return ( array ( "results" => $list, "totalrows" => $totalrows[0] ) );  } 

you need pick one of mysql_, mysqli_ , pdo (don't pick mysql_).

you can't mix pdo , mysqli_.

you don't need use mysqli_escape_string defend pdo against sql injection; has own methods (which using nubrows!!).

see how can prevent sql injection in php? guidance on handling special characters pdo.


Comments