mysqli_real_escape_string wont work?

Question

I got this simple search engine code but steal can't prevent it from my SQL Injections

 $sql = mysqli_real_escape_string($searchengine,$sql);

isn't working or I'm using it wrong... what am i doing wrong?

<?php
mysql_connect("localhost", "root", "");
mysql_select_db("searchengine");

$sql = mysql_query("SELECT * FROM searchengine WHERE pagecontent LIKE '%$_GET[term]%' LIMIT 0,$_GET[results]");

while($ser = mysql_fetch_array($sql)) { echo "<h2><a href='$ser[pageurl]'>$ser[pageurl]</a></h2>"; }


?>

Answer 1

The mysqli_real_escape_string is part of the mysqli module. You are mixing and not using the function properly.

This is how you do it correctly:

mysql_connect("localhost", "root", "");
mysql_select_db("searchengine");

$sql = mysql_query(sprintf(
    "SELECT * FROM searchengine WHERE pagecontent LIKE '%s' LIMIT 0,%d",
        '%'. mysql_real_escape_string($_GET['term']) .'%',
        mysql_real_escape_string($_GET['results']))
);

while($ser = mysql_fetch_array($sql)) {
    echo "<h2><a href='$ser[pageurl]'>$ser[pageurl]</a></h2>";
}

// don't forget to close connection
mysql_close();

P.S. mysql_* is officially deprecated. Please look into using PDO or MySQLi library.