12

Possible Duplicate:
mysql_escape_string VS mysql_real_escape_string

I need to get company_name (given by user through a form) entered into my mysql database. When I use 

$company = mysqli_real_escape_string($_POST['company_name'])

I get an error

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in     /opt/lampp/htdocs/Abacus-Version-2/admin/Company/insert_company.php on line 58

But everything seems to fine while using

$company = mysql_real_escape_string($_POST['company_name'])

What can I do in such cases?

Community
  • 1
  • 1
user1629766
  • 157
  • 1
  • 1
  • 6
  • 8
    Not understanding the duplicate votes. That "duplicate" question is about `escape` vs `real_escape`. This one is about `mysql` vs `mysqli`, both `real_escape`. – Oldskool Jan 03 '13 at 09:26
  • 2
    [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. If you choose PDO, [here is a good tutorial](http://j.mp/PoWehJ). – Madara's Ghost Jan 03 '13 at 09:39
  • @MadaraUchiha they're using mysqli already – Your Common Sense Jan 03 '13 at 09:42
  • @YourCommonSense: Apparently not. If they're using `mysql_real_escape_string` and it works, it means they have an ext/mysql connection. – Madara's Ghost Jan 03 '13 at 09:44

6 Answers6

14

The one to use depends on whether you are using the MySQLi extension or the MySQL extension

// procedural mysqli 
$db = new mysqli; 
$sql = sprintf("INSERT INTO table (id,name,email,comment) VALUES (NULL,'%s','%s','%s')", 
   mysqli_real_escape_string($db,$name), 
   mysqli_real_escape_string($db,$email), 
   mysqli_real_escape_string($db,$comment) ); 

// mysql 
$conn = mysql_connect(); 
$sql = sprintf("INSERT INTO table (id,name,email,comment) VALUES (NULL,'%s','%s','%s')", 
   mysql_real_escape_string($name,$conn), 
   mysql_real_escape_string($email,$conn), 
   mysql_real_escape_string($comment,$conn) );
Anshu
  • 7,783
  • 5
  • 31
  • 41
  • 3
    Again, no! `mysql_*` cannot be used nowadays. – Shoe Jan 03 '13 at 09:24
  • As a matter of fact, they can be freely used as long as your PHP version below 5.5 (and even with further versions too, with cost of little error suppression) – Your Common Sense Jan 03 '13 at 09:28
  • 1
    @YourCommonSense, nope they should be used with PHP version below 5.0 only, since they are being deprecated and mysqli and PDO drivers were deployed in PHP 5.x. – Shoe Jan 03 '13 at 09:36
  • 4
    @Jeffrey Nope, the developer is free to use mysql_* if they so wish. It'll only generate E_DEPRECIATED warnings if used in 5.5+. Your original point "cannot be used" is incorrect - it is merely inadvisable to use them. – Jimbo Jan 03 '13 at 09:51
  • 4
    "You can drive a car with your feet if you want to, that don't make it a good idea." - Chris Rock – Mr_Chimp Jan 27 '15 at 15:21
10

mysql_real_escape_string() is designed to make data safe for insertion into the database without errors. (IE such as escaping slashes so that it doesn't break your code).

You should use mysql_ or mysqli_ functions to match your connection string. "mysqli" is the object oriented implementation of the mysql set of functions, so the functions are called in the object oriented style. "mysql" is procedural. I'd suggest changing over to "mysqli" because I believe there has been talk of depreciating the "mysql" functions in future versions.

If you connection string is:

mysql_connect()

then use:

mysql_real_escape_string($_POST[''])

If it is:

$mysqli = new mysqli();

then use:

$mysqli->real_escape_string($_POST[''])
Luke
  • 22,826
  • 31
  • 110
  • 193
  • He is putting a `$_POST` value in the escape method. And the file is called `insert_company.php`, so it's more than likely he **is** inserting data. – Oldskool Jan 03 '13 at 09:23
  • Whoops, he confused me because he said "I want to get". I have corrected my answer. – Luke Jan 03 '13 at 09:29
  • 3
    @YourCommonSense ohhh is that right? Is that why is states it in the manual??? "Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query()." http://php.net/manual/en/function.mysql-real-escape-string.php Happy reading! – Luke Jan 03 '13 at 09:32
  • Please note that this is now deprecated. `This extension was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0.` – Luke Jul 08 '19 at 08:57
3

Definitely NO

Both functions has nothing to do with form data.
They have to be used to format string literals inserted into SQL query only.
This function belongs to the SQL query, not to whatever form. And even to very limited part of the query - a string literal.

So, every time you're going to insert into query a string literal (frankly, a portion of data enclosed in quotes), this function ought to be used unconditionally.
For the any other case it shouldn't be used at all.

As for the error you're getting - it's pretty self-explanatory: this function expects 2 parameters, not one. Just pass proper parameters as stated in the manual page for this function, and you'll be okay

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • 7
    It's not "pretty self explanatory" - the OP is clearly confused about the two implementations of the MYSQL functions. The "mysqli" function won't all of a sudden work when two parameters are passed, unless he has instantiated this object. – Luke Jan 03 '13 at 09:42
  • Agreed about the using it without reading the docs, but if there isn't a question here then we should be closing the question rather than answering. It is not self explanatory because this is users problem. Their problem is distinguishing between "mysqli" and "mysql" functions. – Luke Jan 03 '13 at 10:26
1

It should be this if you use Procedural style:

$city = mysqli_real_escape_string($link, $city);

where link is the connection

or this when you use Object oriented style:

$city = $mysqli->real_escape_string($city);

Check out the php manual: http://php.net/manual/en/mysqli.real-escape-string.php

Shoe
  • 74,840
  • 36
  • 166
  • 272
Perry
  • 11,172
  • 2
  • 27
  • 37
  • Did you read the question? – Shoe Jan 03 '13 at 09:25
  • Yes, he gets an error so I give him a solution for his error. You should always put the data as it is enterd in the database when you get the data back from the database you will format the data with something like htmlentities. – Perry Jan 03 '13 at 09:27
  • I tried it the procedural way but the result I get is an empty string. any suggestions? – Marian Klühspies Jan 30 '14 at 18:19
0

Both variants are fine* (Please look at my Update).

When you are using a mysql_connect then you should stick to mysql_real_escape_string() and also pass the connection handle.

When you are using a mysqli_connect then you should stick to mysqli_real_escape_string().

UPDATE

As pointed out by Jeffrey in the comments, using mysql_ functions is NOT fine. I agree to that. I was just pointing out, that you need to use the function that is used by the MySQL-extension you are using.

It came to me, that it was not the question, which MySQL-extension to use, but which function for escaping data.

If you ask me:

  • Use mysqli or PDO, because mysql is not recommendable and deprecated.
  • Pass the Connection Handle to the escape-function or better
  • use prepared Statements (PDO-Style)
Stefan
  • 2,028
  • 2
  • 36
  • 53
  • 1
    Jeffrey, i answered to the question to his usecase, i did not regard the advantages of the mysqli extension. I clarified my answer, hope it is better now, so i could help other people as well. – Stefan Jan 03 '13 at 10:23
  • these functions should not be used to escape "data" – Your Common Sense Jan 03 '13 at 10:25
  • @steve, I know that, I see that. In fact I haven't downvoted you, that was a comment that **needed** to be there for future visitors that might feel encouraged to use them. – Shoe Jan 03 '13 at 12:26
0

Since all the MySQL extension is being deprecated, you'd best use the MySQLi methods instead, it's more future proof.

Oldskool
  • 34,211
  • 7
  • 53
  • 66