3

I'm using MYSQLI functions in PHP for a long time. And I always ask me the same thing: Why the funcion mysqli_real_escape_string needs the connection in the first parameter? Doesn't make sense! It's just a funcion to scape quotes.

Do you know why?

Broda Noel
  • 1,760
  • 1
  • 19
  • 38
  • 3
    [**RTM**](http://php.net/manual/en/mysqli.real-escape-string.php) You don't have to read much to get your answer, but you have to read – Rizier123 May 31 '15 at 22:02
  • 1
    http://en.wikipedia.org/wiki/MySQLi and http://php.net/manual/en/mysqli.overview.php - your question is far too broad and requires more research to answer your question. That decision was made by the developers at PHP.net along with other staff involved in the development of MySQLi. So, ask them. – Funk Forty Niner May 31 '15 at 22:14

1 Answers1

7

mysqli_real_escape_string must be aware of the character set of the connection so that it can escapes special characters properly. If you use a multi-byte set then mysqli must know. Otherwise a sql injection is possibile. See this answer for more detail.

However, don't use it! Use Prepared Statements!

Community
  • 1
  • 1
Federkun
  • 36,084
  • 8
  • 78
  • 90
  • 1
    Thank you Leggendario. I know that it's a bad practice, but, if I need to change to prepare querys, I should change a lot of lines in this website. Prepare querys are available only in POO – Broda Noel May 31 '15 at 22:08
  • No, they aren't. You can use prepared statement even with mysqli – Federkun May 31 '15 at 22:12
  • But, where isn't a way using functions to use it. A mean, you should do: `$foo->prepare()` and bla bla bla... You haven't a way to use it as: mysqli_query("SELECT x from x where x = ".mysqli_prepare($foo)); – Broda Noel May 31 '15 at 22:14
  • You aren't escaping data, you are bind it. This is the big change! – Federkun May 31 '15 at 22:15
  • Exactly. I use POO MySQL in my oun projects. But in that case I couldn't. Here we can check that the we can't use Prepare in MySQLi extension using just functions. look for "API supports client-side Prepared Statements" in http://en.wikipedia.org/wiki/MySQLi – Broda Noel May 31 '15 at 22:18
  • "client-side Prepared Statements NO" means only that the client (mysqli) can't emulate them. With mysql this is not a problem – Federkun May 31 '15 at 22:23