-4

I have a website which uses a custom function for addslashes on all mysql queries like this:

function custom_addslashes($str) {
    return mysql_real_escape_string($str);
}

Recently I found out mysql_real_escape_string is deprecated. I have two options. Either

  1. go through the entire site and convert to prepared statements for every page, (argh) or

  2. modify the above function. I assume it is impossible to modify the above function to use PDO, since it is used for many different queries.

Is there a good way to do option 2. something like?

function custom_addslashes($str) {
    return  strtr($str, array("\0" => "", "\\" => "\","'","\\'"));
}

clarifed the question

Ray S.
  • 1,192
  • 3
  • 15
  • 27
  • possible duplicate of [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Alma Do Oct 28 '13 at 11:49
  • 2
    Why custom function when you have perfectly working bultin functions.? – 웃웃웃웃웃 Oct 28 '13 at 11:50
  • You should probably look into prepared statements with PDO/MYSQLi. – Ben Fortune Oct 28 '13 at 11:50
  • @User016 because i dont want to use the PDO/Mysqli . too complicated. and mysql_real_escape_string is deprecated. – Ray S. Oct 28 '13 at 12:25
  • @AlmaDoMundo not duplicate. i saw that and am asking if there's a way to do it without the prepared statements – Ray S. Oct 28 '13 at 12:27
  • too complicated? it's like 1 line of code if you're not binding parameters $stmt->prepare($query) how is that complicated? – Jeff Hawthorne Oct 28 '13 at 13:32
  • You are asking your question out of awful wrong assumptions. Say, what function you are going to use to run your query? mysqli_query(), I suppose. do you have an idea that this function is deprecated too? – Your Common Sense Oct 28 '13 at 13:42
  • @JeffHawthorne the reason is I have a website which uses a custom function for addslashes. namely function ($str) {return mysql_real_escape_string($str);} To convert to prepared statement i would need to go thru every page of the site instead of just modifying this function. – Ray S. Oct 28 '13 at 18:33
  • @YourCommonSense that was probably a typo on your part, but mysqli_query is not deprecated. i'm guessing you meant mysql_query, as all of the mysql_ functions are deprecated. http://php.net/manual/en/mysqli.query.php – Jeff Hawthorne Oct 30 '13 at 13:29
  • @RayS. your best alternative (and yes this will still involve you going through your entire site) would be to switch from mysql_ functions which will be removed from php soon, and switching to mysqli_ functions. they're structured similar to the mysql_ ones, so the conversion would be pretty simple, and they have a real escape string function that you can use in your custom function. http://www.php.net/manual/en/mysqli.real-escape-string.php – Jeff Hawthorne Oct 30 '13 at 13:32
  • @JeffHawthorne yeah, he's got it already. at last. – Your Common Sense Oct 30 '13 at 13:36
  • @Ray S.: So you are using prepared statement ? If yes what are you using PDO or any other library ? – Santosh Pradhan Apr 30 '14 at 12:51
  • 1
    @SantoshPradhan mysql_i – Ray S. Apr 30 '14 at 13:51

1 Answers1

2

is that enough for all scenarios?

NO.

if not, what should be added?

prepared statement

i dont want to use the PDO/Mysqli . too complicated. and mysql_real_escape_string is deprecated.

I've never in my life would expect such a conclusion.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345