-7

So I was wondering, if I need to escape a string, why do I need to connect to my database first?

I tried something like: 

$username = mysqli_real_escape_string($username);

But that didn't work, it requires 2 parameters(one of which is the $connect) Could y ou please explain the purpose of connecting to the database first and then escaping it?

I would also like to know how would that be efficient/applied in a registration page as well?

Thanks.

Please Delete me
  • 807
  • 2
  • 10
  • 15
  • 5
    This question appears to be off-topic because it is not a real question: this information is available in the PHP manual. –  Nov 23 '13 at 07:36
  • The documentation for that function says quite plainly: "*The given string is encoded to an escaped SQL string, **taking into account the current character set of the connection**.*" Different connection charsets need different encodings. – DCoder Nov 23 '13 at 07:36
  • 1
    I recommend [not using *_escape_string](http://stackoverflow.com/a/60496/2864740) if possible. – user2864740 Nov 23 '13 at 07:37
  • 2
    Read the manual next time before asking! – Matteo Tassinari Nov 23 '13 at 07:39

1 Answers1

2

Per the docs:

Security: the default character set

The character set must be set either at the server level, or with the API function mysqli_set_charset() for it to affect mysqli_real_escape_string(). See the concepts section on character sets for more information.

And therein lies the reason for having the connection: how to escape your string depends on the server's character set.

Community
  • 1
  • 1
Denis de Bernardy
  • 75,850
  • 13
  • 131
  • 154