difference between mysqli_real_escape_string() and mysql_real_escape_string()

Question

i have read countless articles but was wondering if someone could explain the difference to me in laymans terms? i know they both protect against sql injection and are for security. but if im using mysqli to run a query , or the old fashioned way of my_sql_query, does it really matter which one i use? are not they both wrappers anyway for the sql function?

why does the below code not work?

 $test="hello, 'there";
$db->real_escape_string($test);

$db->query("INSERT INTO users (first_name) VALUES ('$test')");

One works with the MySQL_* extension, the other works with the MySQLi_* extension.... but if you're using MySQLi you should be using prepared statements with bind variables — Mark Baker, Feb 21 '14 at 14:36
also u added mysqli_real_escape_string after the query execution and it needs the con as a param ! — Abhik Chakraborty, Feb 21 '14 at 14:37
im using mysqli but can you link anywhere to read up on prepared statements? — user3337617, Feb 21 '14 at 14:37
There's no real issue here. Something that could have easily been researched. Voted to close. — Funk Forty Niner, Feb 21 '14 at 14:39

score 4 · Answer 1 · edited May 23 '17 at 12:09

4

They take into account the current charset of the connection, so they need to be able to access the connection, so you have to use the one for the library you opened the connection with.

They should generally be avoided in favour of prepared statements though.

why does the below code not work?

$test="hello, 'there";
$db->query("INSERT INTO users (first_name) VALUES ('$test')", 

mysqli_real_escape_string($test));

You may have other issues but:

You escape $test after you've injected it into the SQL
You don't do anything with the return value.

This should go before you construct your string of SQL:

$test = mysqli_real_escape_string($link, $test);

edited May 23 '17 at 12:09

Community

1
1

answered Feb 21 '14 at 14:37

Quentin

914,110
126
1,211
1,335

Shouldn't that be `$test = mysqli_real_escape_string($con,$test);` or will that still work with what you posted? `mysqli_real_escape_string()` requires DB connection; far as I know. – Funk Forty Niner Feb 21 '14 at 14:41
@Fred-ii- — Ooops, you're right. I mostly only deal with databases through DBIx::Class so I don't have the mysqli syntax down pat. – Quentin Feb 21 '14 at 14:43
DBIx::Class hm... sounds interesting. I'll look into that. – Funk Forty Niner Feb 21 '14 at 14:44
difference of these functions are not explained – User123456 Jul 06 '16 at 06:17

score 0 · Answer 2 · answered Feb 21 '14 at 14:46

In addition to what Quentin said:

Both kind of same output.

mysql_real_escape_string

$link is must for mysqli_real_escape_string.

mysql_real_escape_string

$link is optional

If the link identifier is not specified, the last link opened by mysql_connect() is used. If not then try to open one with no parameters.

difference between mysqli_real_escape_string() and mysql_real_escape_string()

2 Answers2