escape character problem

i have this code which add textbox dynamically

row_no=0;
function addRow(tbl,row){
row_no++;
if (row_no<=20){
if (row_no>=10){
var textbox  = '';}
if (row_no<10){
var textbox  = '';}
var textbox2 = '';
var tbl = document.getElementById(tbl);
var rowIndex = document.getElementById(row).value;
var newRow = tbl.insertRow(row_no);
var newCell = newRow.insertCell(0);
newCell.innerHTML = textbox;
var newCell = newRow.insertCell(1);
newCell.innerHTML = textbox2;
var newCell = newRow.insertCell(2);
}
if (row_no>20){
alert ("Too Many Items. Limit of 20.");
}

Html code is

<div style="padding-top:30px;">
<input type="button" name="Button" class="button" value="Add Ingredient" onClick="addRow('table1','row1')" />
<table style="padding-left:160px" w开发者_Python百科idth="600" border="0" cellspacing="0" cellpadding="2" id="table1">
<th><center>Ingredient
<th>amount
</center>
<tr id="row1">
</tr>
</table>
</div>



  

$ingredient = $_POST['ingredient'];
$amount = $_POST['amount'];
$integer = 0;
$ingredient=mysql_real_escape_string($ingredient);
$amount=mysql_real_escape_string($amount);
while (count($ingredient)>$integer) {
if (($ingredient[$integer] <> "") && ($amount[$integer] <> "")){
$sql =  "INSERT INTO cafe.ingredients (ingredient_name, ammount, rec_id)
    VALUES ('".$ingredient[$integer]."', '".$amount[$integer]."', '$rec_id')" ;
echo "the echo value is".$ingredient[$integer]."and the error is below 
";
mysql_query($sql) or die(mysql_error());
}
else{
echo "ingredient number ".($integer+1)." is missing values and cannot be inserted.";
}
$integer = ($integer + 1);
}

My question is when i use escape character i.e (') or (") and post the data in php script its ok but when i insert this data to mysql then it will give me error

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /var/www/book/books.php on line 123

I think the error message state it, mysql_escape_string expect the first parameters to be a string not an array.

Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in /var/www/book/books.php on line 123

you can use array_map if you want to escape an whole array,you should do:

$ingredient = $_POST['ingredient'];
$amount = $_POST['amount'];
$integer = 0;
$ingredient = array_map('mysql_real_escape_string', $ingredient);
$amount = array_map('mysql_real_escape_string', $amount);
while (count($ingredient)>$integer) {
if (($ingredient[$integer] <> "") && ($amount[$integer] <> "")){
$sql =  "INSERT INTO cafe.ingredients (ingredient_name, ammount, rec_id)
    VALUES ('".$ingredient[$integer]."', '".$amount[$integer]."', $rec_id)" ;
echo "the echo value is".$ingredient[$integer]."and the error is below 
";
mysql_query($sql) or die(mysql_error());
}
else{
echo "ingredient number ".($integer+1)." is missing values and cannot be inserted.";
}
$integer = ($integer + 1);
}

$amount is an array. mysql_real_escape_string expects a string and not an array, that's why you get the error message. You probably need to traverse the $amount array and call mysql_real_escape_string for each member of the array.