The counterpart of mysqli::real_escape_string?

Question

stripslashes() ? That's lame and so 4.0. What's the 5.0 counterpart of mysqli::real_escape_string that strips all slashes added for SQL queries?

Got some other questions:

1. Tried to update a record and added a single quote in a text field, turns out phpMyAdmin escapes the string with single quotes instead of slashes - e.g. a single quote is escaped as '' (2 single quotes) instead of \' - what function is phpMyAdmin using or is it its own? So, mysql supports 2 approaches for escaping strings, namely slash and single quote?

2. Do I always have to unslash the string selected from mysql? Cause' you know it's slashed at insertion. But I thought I don't have to.

Any ideas, thanks!

Answer 1

Use PDO instead of any of the mysql[i]/pgsql/... extensions.

If you're just looking to reverse the damage done by magic quotes, though, stripslashes() is exactly what you're looking for.

Answer 2

If you don't want to go with PDO, and you are using mysqli, you should be using prepared statements, so you don't have to worry about escaping quotes with things like mysql_real_escape_string_i_mean_it_this_time.

More specifically, you can call mysqli->prepare to prepare your query. Call mysqli_stmt->bind_param to set the parameter values. And, call mysqli_stmt->execute to execute the query.

Answer 3

ini_set('magic_quotes_runtime', false);