Using real_escape_string()

FedeLopez · January 8, 2022, 3:56pm

I have a big form that when submit execute some preg_replace converting html tags into clear text to be inserted into my db…

but I’m still get some errors, and I’m sure I can’t except all errors in advance, so I want execute the real_escape_string…

so I have
$text = $_POST(‘text’) after several preg_replace;
$query = "INSERT INTO table (field1,field2,field3) VALUES ".$text;
$sql = Conn()->prepare($query);
$prueba = $sql->real_escape_string();
$insert = $prueba->execute();I get Call to undefined method Doctrine\DBAL\Statement::real_escape_string()

arbei · January 9, 2022, 1:16am

The prepare() method returnsa prepared statement of the type Doctrine\DBAL\Statement, not mysqli.
You should use $sql->executeStatement(), your $prueba cannot be executed.
You may use bindValue() so you don’t need to use real_escape_string().

See Using Prepared Statement for details and example.

FedeLopez · January 9, 2022, 11:04pm

Done.
It did work. But…
It work with method get…
Same form if I change to post got error.

FedeLopez · January 9, 2022, 11:57pm

Also …
Any input field on phpmaker already made strip_stags or something true?
Becuase my script convert

nnn into Insert into table (id,name) values (Yyy,nnn) But if i use a normal phpmaker field i got Insert into table (id,name) values (nnn). So the preg_replace that take value= as id it didn't worked...

FedeLopez · January 10, 2022, 12:43am

I did it work, but seting “CHECK_TOKEN” => false in config…
There is any way to disable Check_token in custom file?
I instead use

As it is explained into Tools → Check token for form post
But… again…
I’m on a Custom File…
And CurrentPage()->Token doesn’t work on Custom file

mobhar · January 10, 2022, 1:12am

You may post your code in that Custom File for more discussion.