mysql_real_escape_string with PDO PHP

Question

Hello i am new to PDO so getting confused and getting errors ;) with mysql_real_escape_string ..

can any one help, here is my code

if(!empty($_POST) && isset($_POST)) { 

include ('connection_pdo.php');

$dbh = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);

$source_url= mysql_real_escape_string($_POST['source_url']);
$class     = mysql_real_escape_string($_POST['class']);
$year      = mysql_real_escape_string($_POST['year']);
$date      = time();
$ip        = $_SERVER['REMOTE_ADDR'];

$insert = $dbh->prepare("
  INSERT IGNORE INTO school_students_images
            ( folder_name,  image_url,  source_url,  class, year , date , ip )
    VALUES  (:folder_name, :image_url, :source_url, :class, :year, :date, :ip)
");

$a=0;
while ($a<1000){
$a++;
$insert->execute(array(
            'folder_name'=> $name->content, //** geting from other source
            'image_url'  => $link[$a], //** geting from other source
            'source_url' => $source_url,
            'class'      => $class ,
            'year'       => $year ,
            'date'       => $date,
            'ip'         => $ip
            ));
}

it not working getting error but if i am using it with-out

    $source_url= ($_POST['source_url']);
    $class     = ($_POST['class']);
    $year      = ($_POST['year']);
    $date      = time();
    $ip        = $_SERVER['REMOTE_ADDR'];

it is working ... so i am confused is it safe to POST without mysql_real_escape_string into database? (is PDO giving any security by default ?) or i am doing some mistake in this... please help

score 12 · Accepted Answer · edited May 23 '17 at 12:07

12

Yes, PDO automatically escapes your data, so you don't need to use mysql_real_escape_string. See here, for example.

edited May 23 '17 at 12:07

Community

1
1

answered May 25 '12 at 07:38

Daan

3,403
23
19

score 4 · Answer 2 · answered May 25 '12 at 07:39

4

mysql_real_escape_string requires an active mysql connection made through a mysql_connect call previously... So yes, it won't work.

PDO does that automatically for you anyway

answered May 25 '12 at 07:39

Andreas Wong

59,630
19
106
123

score 2 · Answer 3 · answered May 25 '12 at 07:39

2

With prepared statements you don't have to escape your variables. The driver will do it for you automatically, depending on the database you are using underneath. Actually you mustn't escape it yourself, since this will double escape it.

answered May 25 '12 at 07:39

sivann

2,083
4
29
44

mysql_real_escape_string with PDO PHP

3 Answers3

Linked