0

As mysql_real_escape_string is now deprecated, I have to change one function on the site that is using it. For the life of me, I can't figure out proper mysqli or pdo code to use. Maybe someone can guide me at the right direction. This is how it currently looks.

    if (isset($_GET['btnSearch']) && !empty($_GET['txtSearch'])) {

        $txtSearch = trim(mysql_real_escape_string($_GET['txtSearch']));

        if (preg_match("/^(?i)BAW[0-9]+/", $txtSearch)) {
            $pilot->pilot_num = strtoupper($txtSearch);
        } else {
            $pilot->name = $txtSearch;
        }
    }

Thank you all.

Dharman
  • 30,962
  • 25
  • 85
  • 135
Raimo Ingland
  • 11
  • 1
  • 3
  • 5
    you don't escape data in PDO and MySqli. you use prepared statements. – Peter Nov 11 '14 at 15:13
  • 1
    the best for you is to start reading about PDO (my favorite) because your problem is not only this code as you say –  Nov 11 '14 at 15:16

2 Answers2

1

To replace mysql_real_escape_string with mysqli_real_escape_string you need to have an already opened connection to your DB like this:

$DBH = new mysqli($dbhost, $dbusername, $dbpasswd, $database_name);

then you can replace

mysql_real_escape_string($_GET['txtSearch'])

with

$DBH->real_escape_string($_GET['txtSearch'])
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
v.sheldeshov
  • 178
  • 6
  • Thank you. How would you suggest to open connection to database? In the same file? This is the only place I use real_escape. – Raimo Ingland Nov 15 '14 at 01:19
  • I always use the same connection for this. By the way, if the code above is placed in some function you may pass needed value as already escaped. – v.sheldeshov Nov 15 '14 at 08:01
-1

As it appears, I already have open connection and framework handles the query. All that needed is removal of

mysql_real_escape_string

Raimo Ingland
  • 11
  • 1
  • 3