0

I'm trying to take a variable that's passed in a query string (GET) and then use that variable to do a SELECT based on it...

// Assign query string to a variable while sanitizing it against XSS
$event = ee()->input->get_post('event', TRUE);

// Build query
$sql = "SELECT t.entry_id
    FROM exp_channel_titles t
    LEFT join exp_channel_data d
    ON t.entry_id = d.entry_id
    WHERE
        field_id_42 LIKE '" . mysqli_real_escape_string($event) . "';";

// Execute query
$query  = ee()->db->query( "$sql" );

It executes as expected, however I am seeing the following error in the error log:

Severity: Warning --> mysqli_real_escape_string() expects exactly 2 parameters, 1 given

What is the 'EE way' to pass the required connection parameters to the mysqli_real_escape_string() function?

Improve this question

1 Answer 1

Reset to default
1

Use ee()->db->escape_str($event) - it's the native way to escape potentially-unsafe data in EE.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.