-2

I use mysql_real_escape_string for better security. For better mysql performance I now thinking about replacing it.

I found detailed explanation about mysql_real_escape_string and mysql_escape_string in mysql_escape_string VS mysql_real_escape_string.

My question is:

If I use persistent connection and know character set (only UTF-8), is there any way to replace mysql_real_escape_string with something that not use mysql?

Community
  • 1
  • 1
stix
  • 812
  • 2
  • 7
  • 22
  • 1
    Don't use any of them. The `mysql_*` functions will be [deprecated in PHP 5.5](http://php.net/manual/en/faq.databases.php#faq.databases.mysql.deprecated). It is not recommended for writing new code as it will be removed in the future. Instead, either the [MySQLi](http://php.net/manual/en/book.mysqli.php) or [PDO](http://php.net/manual/en/book.pdo.php) and [be a better PHP Developer](http://jason.pureconcepts.net/2012/08/better-php-developer/). – Jason McCreary Jan 03 '13 at 18:16
  • 1
    You shouldn't be using the mysql_*() functions to begin with. Switch to mysqli or PDO, and used prepared statements with placeholders. 99% of the time, you won't even have go anywhere NEAR escaping stuff yourself. – Marc B Jan 03 '13 at 18:17
  • 5
    You are not going to optimize mysql querys with mysql_real_escape_string. If you want to optimize, look into your mysql tables. Set the right indexes and look at your queries. – Green Black Jan 03 '13 at 18:19
  • I know about depreceated in PHP 5.5 but it is very big application with high load of traffic. Definitely not be rewriten to MySQLi now, this will be done in future version. – stix Jan 03 '13 at 18:19
  • The problem you ask about is likely to be *a personal problem*. I doubt that it is of any use to ask it here publicly. I suggest you call mysql professional support at either Oracle or a profound, independent consultation company and get all your little, dippy questions answered and even the source-code behind all this explained in a language understandable to you. That should then help you to base a (personal) decision on (a professional consultation company will likely deny to make much of a suggestion anyway). – hakre Jan 03 '13 at 18:28

2 Answers2

4

First thing, STOP using mysql_query and related functions. It's deprecated in PHP 5.5 and will produce warnings when used because you should not be using it at all.

Secondly, always use mysql_real_escape_string and only that to escape your values. Don't even think about trying another method. It's ugly, annoying, and just one of many reasons why you shouldn't be using mysql_query to start with. Don't roll your own. Don't look for faster alternatives because there aren't any that are safe to use.

At the earliest possible opportunity, switch to PDO. The conversion cost may be significant if your application is in a severe state of disrepair, but if applied correctly, in a disciplined fashion, the chance of having a SQL injection bug is near zero.

If you're having performance problems with the escaping functions, I have no idea what you're doing, but you're probably doing it wrong. These are usually near zero cost unless you're literally doing millions of them per page load. The execution time of the query you render is almost always significantly longer than the time it takes to prepare the statement itself.

tadman
  • 208,517
  • 23
  • 234
  • 262
1

http://dev.mysql.com/doc/refman/5.5/en/apis-php-class.mysqli.html

Use parameterized queries from the MySQLi library; there has previously been bugs in the escaping routine, and it's possible that some could appear again. Parameterizing the query is much, much harder to mess up, so it's less likely that you can get compromised by a MySQL bug.

Head
  • 548
  • 7
  • 26
  • `mysqli` is pretty junk compared to PDO but it's a lot better than ye-olde `mysql_query` – tadman Jan 03 '13 at 18:21
  • @tadman: Get over it. It's very fine, does more than PDO and even has Iterators in PHP 5.4. So what is actually the difference where it is junk? (Not saying you should favor it, there are reasons to use the one or other, but "being junk" is just plain wrong). – hakre Jan 03 '13 at 18:26
  • 1
    It works just as well in practice, but PDO has support for named placeholders which makes auditing your statements significantly easier, avoiding the problem of getting the order of your binding calls messed up. `mysqli` is a good fallback if PDO is not available, but otherwise it is not measurably better. – tadman Jan 03 '13 at 18:26