Getting error with PDO

Question

So I'm trying to use this name = $con->real_escape_string($_POST['name']); with my code, and its not working. I get the error

Fatal error: Call to undefined method PDO::real_escape_string() in /Users/idrisk/Colourity/si/r.php on line 15` I'm not sure what that means. Here's the code I have so far.

$username = "xxx";
$password = "xxx";
try
    {
    $con = new PDO('mysql:host=localhost;s=myDatabase', $username, $password);
    $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    }catch(PDOException $e)
    {
    echo 'ERROR: ' . $e->getMessage();
    }



        $name = $con->real_escape_string($_POST['name']);
        $username = $con->real_escape_string($_POST['username']);
        $email = $con->real_escape_string($_POST['email']);
        $password1 = $con->real_escape_string($_POST['pass1']);
        $password2 = $con->real_escape_string($_POST['pass2']);

Any ideas?

PDO doesn't have a `real_escape_string` method. Bind the parameters instead. — Amal Murali, Apr 21 '14 at 00:55
http://www.phptherightway.com/#databases -- good start to learn about — Black Sheep, Apr 21 '14 at 00:58
@user3444414: Also, see: http://wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers — Amal Murali, Apr 21 '14 at 00:58
Well theres like 100 examples. Which one corresponds to `$_POST`? @AmalMurali — , Apr 21 '14 at 01:00
@user3444414: See under "*Running Statements With Parameters*". — Amal Murali, Apr 21 '14 at 01:01
Where would `$_POST` be though? Can you show me an example with my current code? @AmalMurali — , Apr 21 '14 at 01:04
`$_POST['foo']` is just another variable. It's not special. Just read the entire article, @user3444414. It's worth it. — Amal Murali, Apr 21 '14 at 01:05

Bill Karwin · Accepted Answer · 2014-04-21T01:35:04.077

1

PDO doesn't have a real_escape_string function, but it does have PDO::quote().

$name = $con->quote($_POST['name']);

PDO::quote() does one thing that mysqli::real_escape_string() doesn't do: it adds the quote marks around the resulting escaped string.

Example with mysqli:

$name = $mysqli->real_escape_string($_POST['name']);
$sql = "SELECT * FROM table1 WHERE name = '$name'"; // use single-quotes

Example with PDO:

$name = $pdo->quote($_POST['name']);
$sql = "SELECT * FROM table1 WHERE name = $name"; // don't use single-quotes

Anyway, as @AmalMurali commented above, it's better to use prepared statements and parameters. Here's an easy way to use prepare() and pass parameters to execute():

$sql = "INSERT INTO table1 VALUES (:name, :username, :email, :pass1)";
$params = array_intersect_key($_POST, 
    array_flip(array('name', 'username', 'email', 'pass1')));
$stmt = $pdo->prepare($sql);
$stmt->execute($params);

Parameters are better because they're just as safe for protecting against SQL injection, and they're easier to get right than the messy and error-prone escaping, quoting, and string-concatenation.

If you don't recognize some of those functions I showed, go read the docs:

Get used to reading documentation. Reading docs, reading other people's code, and experimentation is how most of us learned all this stuff.

There are even code examples in almost all of the PHP documentation pages.

edited Apr 21 '14 at 01:35

answered Apr 21 '14 at 01:28

Bill Karwin

538,548
86
673
828

So basically `$name = $_POST['name'];` turns into `$name = $pdo->quote($_POST['name']);`? Or could i just use the prepared statement and parameters method instead? – Apr 21 '14 at 01:32
1

`use the prepared statement and parameters method instead` is better and safer. – Prix Apr 21 '14 at 01:38
Right, use prepare() with parameters. You'll be glad you did. – Bill Karwin Apr 21 '14 at 01:39
But then how would I validate an email? `(!filter_var(:email, FILTER_VALIDATE_EMAIL))`? – Apr 21 '14 at 01:42
That's a totally separate question from using variables safely in SQL. Search StackOverflow for "php validate email" and you'll find answers like this: http://stackoverflow.com/questions/5855811/how-to-validate-an-email-in-php for an answer. – Bill Karwin Apr 21 '14 at 01:44
Well I know how to valid it, its just that using prepared or parameters don't have variables.... – Apr 21 '14 at 01:45
You can pass any array to execute(), or you can use [PDOStatement::bindParam()](http://php.net/manual/en/pdostatement.bindparam.php). You really need to go read the documentation before you ask any more naive questions. – Bill Karwin Apr 21 '14 at 01:50
@user3444414 validating and inserting it safely are 2 different things, what the prepared statements give you is the peace of mind against SQL Injection while validating the data you receive is to make sure it comply to your needs for example will you want an email like `this is the email I used on your email field` as you can see if you don't validate your potential fields they can still use anything they want, so validating that the email is a valid one is also something important along with for instance validating if the username only contain the characters you have previously specified. – Prix Apr 21 '14 at 04:30
@user3444414 besides the peace of mind it also makes inserting data much easier to several different things such as for example a huge block of text where normally you would have to escape all of the bad characters and other things while on prepared statement you don't have to change anything. – Prix Apr 21 '14 at 04:31

Getting error with PDO

1 Answers1