-1

This is PHP's procedural way of using mysqli_real_escape_string:

$city = "'s Hertogenbosch";
$city = mysqli_real_escape_string($link, $city);

As you can see, the method requires two parameters:

  1. The connection / link
  2. The string

Why do I need to specify the link? What If I just want to parse a regular string and then return an escaped string?

ChrisGPT was on strike
  • 127,765
  • 105
  • 273
  • 257
cleverpaul
  • 935
  • 4
  • 12
  • 28
  • Just use prepared statements. – pvg Jun 27 '17 at 01:11
  • 1
    @pvg that's not what the OP asked, it's actually an interesting question for a change. – Capsule Jun 27 '17 at 01:28
  • @Capsule It isn't, but the docs cover it well. Sanest is to just avoid `mysqli_real_escape_string` whenever possible which is very nearly always – pvg Jun 27 '17 at 01:34
  • Possible duplicate of [Why mysqli_real_escape_string have a connection object as a first parameter](https://stackoverflow.com/questions/30563173/why-mysqli-real-escape-string-have-a-connection-object-as-a-first-parameter?rq=1) – Funk Forty Niner Jun 27 '17 at 01:41
  • Possible duplicate of [Why mysqli\_real\_escape\_string have a connection object as a first parameter](https://stackoverflow.com/questions/30563173/why-mysqli-real-escape-string-have-a-connection-object-as-a-first-parameter) – P.J.Meisch Jun 27 '17 at 07:35

1 Answers1

3

Here is how the function is described in the documentation (emphasis mine):

Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection

The connection is needed to determine the character set to use when escaping the string, which is important for security.

ChrisGPT was on strike
  • 127,765
  • 105
  • 273
  • 257