add mysql_real_escape_string() after str_replace()

Question

How to add mysql_real_escape_string() after str_replace()?

$s='+'.str_replace(' ',' +',rawurldecode($_GET['search']));

$sql = '
SELECT * from table 
where match 
(keywords) 
AGAINST 
('".mysql_real_escape_string($s)."' IN BOOLEAN MODE) 
order by date desc 
limit '.mysql_real_escape_string($_GET['number']).',10
';

Is this the correct way to write the mysql_real_escape_string() in such a mysql full text search? Thanks.

Please, [don't use mysql_* functions in new code](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are officially deprecated. Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) — [this article](http://php.net/manual/en/mysqlinfo.api.choosing.php) will help you decide which. If you choose PDO, [here is a good tutorial](http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers). — user555, Dec 22 '13 at 15:19
No, this is not safe. And the first `mysql_real_escape_string` isn't processed, but passed as plain text (if there weren't a syntax error). — Marcel Korpel, Dec 22 '13 at 15:23

P.W-S · Accepted Answer · 2013-12-22T15:37:16.517

-1

Yes, it is almost correct way (you have bad quote order), but functions you are using are depracted. Use mysqli. You should alsu use intval() because user can input text value and it generates error.

$sql = '
SELECT * from table 
where match 
(keywords) 
AGAINST 
("'.mysql_real_escape_string($s).'" IN BOOLEAN MODE) 
order by date desc 
limit '.intval($_GET['number']).',10
';

edited Dec 22 '13 at 15:37

answered Dec 22 '13 at 15:26

P.W-S

167
9

I don't think the number is what he's worried about. – Pekka Dec 22 '13 at 15:27
@Pekka웃 No? But he should be! – Marcel Korpel Dec 22 '13 at 15:31

add mysql_real_escape_string() after str_replace()

1 Answers1