12

I am using PHP version 5.3 and trying to use mysql_real_escape_string($unescaped_string) in my code, but I get the error:

Fatal error: Call to undefined function mysql_real_escape_string() 
in /var/www/engine/database.php on line 38

I can still connect to the database however. Why is it not available?

I am using PHP version 5.3.

Eric Leschinski
  • 146,994
  • 96
  • 417
  • 335
MichaelH
  • 1,600
  • 3
  • 14
  • 20
  • 2
    Please show us your code – GBD Dec 13 '12 at 09:22
  • Try mysql_escape_string() instead – jtheman Dec 13 '12 at 09:23
  • 1
    @jtheman why are you suggesting replacement of better function (that takes server configuration into account) with worse function (just simple string replace)? – Vyktor Dec 13 '12 at 09:25
  • 1
    How did you know that you can get database – Rohit Choudhary Dec 13 '12 at 09:26
  • @Vyktor Sure it's better. But its not certain the user can change his server config. – jtheman Dec 13 '12 at 09:26
  • 1
    mysql_real_escape_string() was created because mysql_escape_string() has vulnerabilities, would strongly advise not to use it! – Boštjan Pišler Feb 09 '16 at 09:12
  • The problem with `mysql_real_escape_string()` is it requires a connection to the DB to determine the character set. Unfortunately you could very well have a program which needs to escape strings but doesn't have a way to get a connection to the DB (eg a program which creates a file in INSERT statements which is then transported to the DB machine to be acted upon). – John Hascall Dec 15 '18 at 00:37

5 Answers5

19

Update as mentioned in comment, mysql_ has been deprecated since 5.5:

The mysql extension has been deprecated since PHP 5.5. The mysqli or PDO extension should be used instead. The deprecation has been decided in mysql_deprecation, where a discussion of the reasons behind this decision can be found.

and removed in PHP 7.

mysql_real_escape_string() is standard part of MySQL function "batch" and should always work if the extension is loaded correctly.

Does any another mysql_ function work? (It should not)

Make sure, that you have this line uncommented in your php.ini:

extension=mysql.so

Also it'd be wise to use mysqli or PDO instead (mysql_ is deprecated), they both can take care of escaping for you.

Community
  • 1
  • 1
Vyktor
  • 20,559
  • 6
  • 64
  • 96
  • 1
    Sorry, this question was my fault. When I used the sudo apt-get install php5-mysql it failed, and I thought that my other connect statement was working properly. I guess you just got yourself a free correct answer. – MichaelH Dec 13 '12 at 09:26
  • @MichaelH it takes some practice to check system configuration first (after update) before wondering what's wrong with your code. – Vyktor Dec 13 '12 at 09:29
  • The MySQL extension is [not available since PHP 5.5](https://wiki.php.net/rfc/remove_deprecated_functionality_in_php7); use ext/mysqli or ext/pdo_mysql instead. – Kristoffer Bohmann Feb 21 '16 at 12:49
8

In my case I used mysqli_real_escape_string instead of mysql_real_escape_string.

Rahul Kumar
  • 5,120
  • 5
  • 33
  • 44
speksy
  • 700
  • 8
  • 13
1

Interestingly, after exploring all the other solutions here, I realized the problem is actually due to the php5-mysql extension not having been installed yet - it's not installed by default on a fresh Ubuntu, neither when u install fresh php. So, for me the solution became: install the php5-mysql extension:

sudo apt-get install php5-mysql

After this, I wasn't getting those nasty mysql_* errors again ;-)

JWL
  • 13,591
  • 7
  • 57
  • 63
0

Maybe your problem resides into the php server config (compiling).

Here more information about the mysql_real_escape_string: http://www.php.net/manual/en/function.mysql-real-escape-string.php

shinosn
  • 17
  • 2
0

MySQL extension is deprecated since PHP 5.5. mysql_real_escape_string() is therefore not available in PHP 7. This means that user input cannot be escaped correctly and leaves the code open to SQL injection attacks.

The PHP-official solution is to replace ext/mysql with MySQLi, PDO or other supported database extension.

To prevent SQL injection attacks, it is recommended to use prepared statements and parameterized queries when talking to the database.

Community
  • 1
  • 1
Kristoffer Bohmann
  • 3,986
  • 3
  • 28
  • 35
  • Any database API that's available (mysql, mysqli, PDO, whatever) has a function to escape values correctly or to use the prepared statement API of the database directly (much better approach to begin with). If `real_escape_string` or equivalent is not available that means the entire database API is not available and you have much bigger problems anyway. There should never be a need to poorly reimplement this function. Critically you're not implementing any encoding concerns, which still leaves you open to injection in certain multi-byte encodings. – deceze Feb 21 '16 at 13:28
  • @deceze: Answer changed to focus on the "MySQL extension is deprecated" part. Removed function that mimics `mysql_real_escape_string()`. – Kristoffer Bohmann Feb 22 '16 at 05:54