Why mysql_real_escape_string not work on MySQLi?

Question

Why mysql_real_escape_string not work on MySQLi ?

When i use MySQL , i can use this code.

$test = mysql_real_escape_string($_POST[test]);

But When i update to use MySQLi. I tried to use

$test = mysql_real_escape_string($_POST[test]);

But not work.

How can i use mysql_real_escape_string on MySQLi ?

if cannot use mysql_real_escape_string on MySQLi , How can i protect SQL Injection ?

Now i use

$test = $_POST[test];

It's very bad for SQL Injection.

You use `mysqli_real_escape_string` instead now – scrowler Oct 06 '16 at 03:03 — scrowler, Oct 06 '16 at 03:03
can i use `$db_mysqli->real_escape_string($_POST[test]);` ? – Robert Down Oct 06 '16 at 03:04 — Robert Down, Oct 06 '16 at 03:04
Use parameterized queries. They are much better. – chris85 Oct 06 '16 at 03:04 — chris85, Oct 06 '16 at 03:04

score 2 · Accepted Answer · answered Oct 06 '16 at 03:05

How can i use mysql_real_escape_string on MySQLi?

Answer:

OOP Approach: $test = $conn -> real_escape_string($_POST['test']);

Procedural Approach: $test = mysqli_real_escape_string($conn,$_POST['test']);

You are also asking on how can you protect from SQL Injection

Answer: If you are going to use mysqli_* then you should use parameterized queries

1 Answers1