ansaurus

Question

mysql_real_escape_string on all mySQL queries?

Answer 1

+2 A:

Yes, it should do all the backslashing for you (based upon whatever charset the mysql server is)

webdestroya 2010-04-19 23:02:04

thank you for the right answer. fuck all this PDO nonsense.

confusedphpnoob 2010-04-19 23:08:47

no problem. make sure to mark one of the responses as the answer

webdestroya 2010-04-19 23:13:41

Answer 2

+3 A:

I recommend using PDO and prepared statements instead; see the PDOStatement class. Prepared statements can be more efficient (if the engine doesn't have to reparse your SQL). They should also prevent you from accidentally storing escaped data in the db (double-escaping). Using PDO will make it easier to add support for other databases.

Matthew Flaschen 2010-04-19 23:03:05

I don't want to use PDO, I want to use MySQL only.

confusedphpnoob 2010-04-19 23:08:03

You can use PDO even if you require MySQL-specific features. You don't *have* to support multiple databases. It's still a better library than `mysql_connect` and friends.

Matthew Flaschen 2010-04-19 23:09:46

fuck man. I don't CARE ABOUT PDO. Just need to bang this code out now so I can go get hammered!

confusedphpnoob 2010-04-19 23:10:40

@confusedphpnoob That's the wrong attitude to have if you ever hope to become even a decent programmer - let alone a good one.

Daniel Bingham 2010-04-19 23:13:22

@confusedphpnoob - it's a side effect of any question about `mysql_real_escape_string()`. Invariably, most of the answers in the thread won't address the question, and instead recommend something else. Don't take it personally ;)

zombat 2010-04-19 23:15:11

Thanks - I just want the answer to the mysql_real_escape_string. PDO is probably a million times better but I don't care about it right now.

confusedphpnoob 2010-04-19 23:16:09

Answer 3

+1 A:

Yes, it should escape strings in preparation for use in MySQL. However, it is not the be-all, end-all of avoiding SQL injection. It does in fact leave you very vulnerable to it still.

Better to use the PHP PDO instead, parameterized queries are the way to go ;)

Daniel Bingham 2010-04-19 23:03:49

Answer 4

+1 A:

I'd recommend using prepared statements. That way you won't have the hassle of manually escaping every query.

$stmt = $db->prepare("SELECT stuff FROM table WHERE something = ?");
$stmt->execute('s', 'something'); // s means string

Another option is to use PDO, which is an even better version of this, and generally database independent.

Tor Valamo 2010-04-19 23:03:57

Wrong answer? Seriously, I DONT WANT THIS PDO NONSENSE.

confusedphpnoob 2010-04-19 23:09:59

@confusedphpnoob Let me put it to you this way. There is a fair probability that the mysql_* family of functions will be depreciated in the future. They are outdated. They aren't as secure, efficient or well written as the PDO. The PDO is the "correct" way to handle a database connection in PHP 5 and above. If you don't want your code to break and stop working in the future, learn to use the PDO.

Daniel Bingham 2010-04-19 23:15:35

Ok thank you. Sorry for being a dick. Everywhere I look people answer this question the same way... Just want the answer to this particular question and not a better solution.

confusedphpnoob 2010-04-19 23:18:03

I know the feeling, I've had a similar experience many times on SO. What I've learned is that, even if the answer I'm getting isn't the one I was looking for it's usually the best answer. Usually ;)

Daniel Bingham 2010-04-19 23:20:19

Answer 5

+1 A:

http://php.net/manual/en/function.mysql-real-escape-string.php

You wouldn't want to use addslashes() and stripslashes(). If I recall correctly, mysql_real_escape_string() is more similiar to addslashes(), but it escapes different characters.

Andrew 2010-04-19 23:04:50

addslashes on input, stripslashes on output, right?

confusedphpnoob 2010-04-19 23:09:25

Yup. (I think). Just look it up in the PHP manual. =P.

Andrew 2010-04-20 00:40:42

Answer 6

+6 A:

If you are using the regular MySQL driver module for PHP, then yes, mysql_real_escape_string() is the way to go. You can ignore addslashes() and stripslashes() entirely, in fact.

Your query creation will look something like this:

$sql = "INSERT INTO tbl (x) VALUES '".mysql_real_escape_string($x)."'";

mysql_real_escape_string() should be used on any user input that is going into your query. Note that you don't want to escape your data any other way before inserting it. You shouldn't use addslashes() or htmlentities(), which are common mistakes when storing HTML fragments in a database. You should not need to unescape your data in any way after you have retrieved it.

As other posters mention, there are other MySQL database driver modules for PHP, including PDO and MySQLi. Both offer a feature known as prepared statements, which is an alternative method of creating queries that handles escaping for you.

zombat 2010-04-19 23:12:40

Ok, but do I use it when retrieving on SELECT statements as well?

confusedphpnoob 2010-04-19 23:14:22

Yes - generally any data that you put into any query should be escaped, unless you know for sure it's clean.

zombat 2010-04-19 23:17:57

money. All I need to know! Thanks yall. I will learn PDO one day.. today is not that day.

confusedphpnoob 2010-04-19 23:18:58

ansaurus

tags:

views:

answers:

mysql_real_escape_string on all mySQL queries?

related questions