-1
 $q = "INSERT INTO articles VALUES( mysql_real_escape_string($_GET["article"]) )
 $req = $bdd->prepare($q); 
 $req ->execute();

I've been working on another server where mysql_real_escape_string() is still not obsolete, and now I'm moving the site to another mysql server which apparently doesn't accept this function anymore. And, it's pretty clear I need to use some PDOs

SO what's the PDO equivalent for mysql_real_escape_string()? I'm trying something like this

 $idc = new PDO(...);
 $q = "INSERT INTO articles VALUES( $idc->quote(($_GET["article"])));
 $req = $bdd->prepare($q); 
 $req ->execute();

I do use prepared statements, but I suspect my PDO::quote is wrong somewhere.

But it doesn't render the same result... Thank you.

afiqjohari
  • 231
  • 3
  • 11
  • If you're using PDO, you should be using prepared statements. BTW, your original statement wouldn't have worked, since functions aren't evaluated inside strings -- you need to use concatenation. – Barmar Apr 25 '13 at 01:07
  • What result do you get from `quote`? Also are you putting `mysql_real_escape_string` or `quote` directly into the query? Because that won't work... – Explosion Pills Apr 25 '13 at 01:12
  • if you suspect something - why not to try a manual page? – Your Common Sense Apr 25 '13 at 03:30

2 Answers2

1

PDO::quote is the equivalent of mysql_real_escape_string. If there's some reason you can't use a prepared statement, you can use it like this:

$q = "INSERT INTO articles VALUES (" . $idc->quote($_GET["article"]) . ")";

A significant difference is that it includes the surrounding quotes around the string, while mysql_real_escape_string doesn't (so you would have to put quotes in your INSERT string).

Barmar
  • 741,623
  • 53
  • 500
  • 612
0

Use prepared statements(preferred) or PDO::quote()

hek2mgl
  • 152,036
  • 28
  • 249
  • 266