Login/Register
Should I use mysqli_real_escape string() or mysql_real_escape_string() for form data? [duplicate]
Asked Answered
phpmysqlmysqlimysql-real-escape-string
N

6

12

Possible Duplicate:
mysql_escape_string VS mysql_real_escape_string

I need to get company_name (given by user through a form) entered into my mysql database. When I use 

$company = mysqli_real_escape_string($_POST['company_name'])

I get an error

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in     /opt/lampp/htdocs/Abacus-Version-2/admin/Company/insert_company.php on line 58

But everything seems to fine while using

$company = mysql_real_escape_string($_POST['company_name'])

What can I do in such cases?

Nonce answered 3/1, 2013 at 9:16 Comment(4)
Not understanding the duplicate votes. That "duplicate" question is about escape vs real_escape. This one is about mysql vs mysqli, both real_escape.Savannahsavant
Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.Contentious
@MadaraUchiha they're using mysqli alreadyEllene
@YourCommonSense: Apparently not. If they're using mysql_real_escape_string and it works, it means they have an ext/mysql connection.Contentious
K
14

The one to use depends on whether you are using the MySQLi extension or the MySQL extension

// procedural mysqli 
$db = new mysqli; 
$sql = sprintf("INSERT INTO table (id,name,email,comment) VALUES (NULL,'%s','%s','%s')", 
   mysqli_real_escape_string($db,$name), 
   mysqli_real_escape_string($db,$email), 
   mysqli_real_escape_string($db,$comment) ); 

// mysql 
$conn = mysql_connect(); 
$sql = sprintf("INSERT INTO table (id,name,email,comment) VALUES (NULL,'%s','%s','%s')", 
   mysql_real_escape_string($name,$conn), 
   mysql_real_escape_string($email,$conn), 
   mysql_real_escape_string($comment,$conn) );
Kravits answered 3/1, 2013 at 9:23 Comment(5)
Again, no! mysql_* cannot be used nowadays.Finalist
As a matter of fact, they can be freely used as long as your PHP version below 5.5 (and even with further versions too, with cost of little error suppression)Ellene
@YourCommonSense, nope they should be used with PHP version below 5.0 only, since they are being deprecated and mysqli and PDO drivers were deployed in PHP 5.x.Finalist
@Jeffrey Nope, the developer is free to use mysql_* if they so wish. It'll only generate E_DEPRECIATED warnings if used in 5.5+. Your original point "cannot be used" is incorrect - it is merely inadvisable to use them.Thesda
"You can drive a car with your feet if you want to, that don't make it a good idea." - Chris RockDry
H
10

mysql_real_escape_string() is designed to make data safe for insertion into the database without errors. (IE such as escaping slashes so that it doesn't break your code).

You should use mysql_ or mysqli_ functions to match your connection string. "mysqli" is the object oriented implementation of the mysql set of functions, so the functions are called in the object oriented style. "mysql" is procedural. I'd suggest changing over to "mysqli" because I believe there has been talk of depreciating the "mysql" functions in future versions.

If you connection string is:

mysql_connect()

then use:

mysql_real_escape_string($_POST[''])

If it is:

$mysqli = new mysqli();

then use:

$mysqli->real_escape_string($_POST[''])
Hydrogenate answered 3/1, 2013 at 9:19 Comment(4)
He is putting a $_POST value in the escape method. And the file is called insert_company.php, so it's more than likely he is inserting data.Savannahsavant
Whoops, he confused me because he said "I want to get". I have corrected my answer.Hydrogenate
@YourCommonSense ohhh is that right? Is that why is states it in the manual??? "Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query()." php.net/manual/en/function.mysql-real-escape-string.php Happy reading!Hydrogenate
Please note that this is now deprecated. This extension was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0.Hydrogenate
E
3

Definitely NO

Both functions has nothing to do with form data.
They have to be used to format string literals inserted into SQL query only.
This function belongs to the SQL query, not to whatever form. And even to very limited part of the query - a string literal.

So, every time you're going to insert into query a string literal (frankly, a portion of data enclosed in quotes), this function ought to be used unconditionally.
For the any other case it shouldn't be used at all.

As for the error you're getting - it's pretty self-explanatory: this function expects 2 parameters, not one. Just pass proper parameters as stated in the manual page for this function, and you'll be okay

Ellene answered 3/1, 2013 at 9:22 Comment(2)
It's not "pretty self explanatory" - the OP is clearly confused about the two implementations of the MYSQL functions. The "mysqli" function won't all of a sudden work when two parameters are passed, unless he has instantiated this object.Hydrogenate
Agreed about the using it without reading the docs, but if there isn't a question here then we should be closing the question rather than answering. It is not self explanatory because this is users problem. Their problem is distinguishing between "mysqli" and "mysql" functions.Hydrogenate
A
1

It should be this if you use Procedural style:

$city = mysqli_real_escape_string($link, $city);

where link is the connection

or this when you use Object oriented style:

$city = $mysqli->real_escape_string($city);

Check out the php manual: http://php.net/manual/en/mysqli.real-escape-string.php

Antimalarial answered 3/1, 2013 at 9:21 Comment(3)
Did you read the question?Finalist
Yes, he gets an error so I give him a solution for his error. You should always put the data as it is enterd in the database when you get the data back from the database you will format the data with something like htmlentities.Antimalarial
I tried it the procedural way but the result I get is an empty string. any suggestions?Jonjona
L
0

Both variants are fine* (Please look at my Update).

When you are using a mysql_connect then you should stick to mysql_real_escape_string() and also pass the connection handle.

When you are using a mysqli_connect then you should stick to mysqli_real_escape_string().

UPDATE

As pointed out by Jeffrey in the comments, using mysql_ functions is NOT fine. I agree to that. I was just pointing out, that you need to use the function that is used by the MySQL-extension you are using.

It came to me, that it was not the question, which MySQL-extension to use, but which function for escaping data.

If you ask me:

  • Use mysqli or PDO, because mysql is not recommendable and deprecated.
  • Pass the Connection Handle to the escape-function or better
  • use prepared Statements (PDO-Style)
Linda answered 3/1, 2013 at 9:18 Comment(3)
Jeffrey, i answered to the question to his usecase, i did not regard the advantages of the mysqli extension. I clarified my answer, hope it is better now, so i could help other people as well.Linda
these functions should not be used to escape "data"Ellene
@steve, I know that, I see that. In fact I haven't downvoted you, that was a comment that needed to be there for future visitors that might feel encouraged to use them.Finalist
S
0

Since all the MySQL extension is being deprecated, you'd best use the MySQLi methods instead, it's more future proof.

Savannahsavant answered 3/1, 2013 at 9:21 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.