I'm trying to retrofit a project of mine to use real_escape_string. I've read the documentation, tutorials, and stackoverflow related questions, and it seems like I'm doing it correctly, but obviously something is wrong. I'm very confident it's the real_escape_string itself, since when I comment that out, everything works as it did. I'm going for the object oriented way.
Here's my connect.
$con= new mysqli("localhost","root","","venue");
Here's me escaping the string.
$message = $_POST['text'];
$message = mysqli_real_escape_string($con, $message);
Here's my query
$operation = "INSERT INTO
chat(user, message)
VALUES('". $_SESSION['name'] ."', '$message')";
$result = mysqli_query($con, $operation);
I've tried changing the $message in the query to '". $message .'". I've tried changing how I call the query as well. I've tried dozens of combinations, and read more than enough. I'm still missing something. What am I doing wrong?
mysqli_real_escape_string takes two parameters, you forgot to put the connection to your databse and also delete the $ before mysqli_real_escape_string because it's a mysqli function not a variable.
$message = mysqli_real_escape_string($con, $message);
You've got and extra semi-colon. Just delete it
$operation = "INSERT INTO
chat(user, message)
VALUES('". $_SESSION['name'] ."', '$message')";