mysql_real_escape_string() function for $user In PhP script, swears demanding to do how to fix it?

Question

In this part requires to replace it:

$sql = "SELECT * FROM wallets WHERE id = '$user' LIMIT 1";

Requires to do this: use the mysql_real_escape_string() function for the $user parameter

How to implement it?

$sql = "SELECT * FROM wallets WHERE id = '$user' LIMIT 1";

Eliminate vulnerability!

`mysqli_real_escape_string` is not enough. Read about parameterized queries. See this post https://stackoverflow.com/a/60496/11127709 — Budimir Skrtic, Apr 30 '19 at 21:16
`mysql_real_escape_string()` is deprecated. See [this page](https://phptherightway.com/#databases). — Alex Howansky, Apr 30 '19 at 21:17

score 0 · Accepted Answer · answered Apr 30 '19 at 21:26

0

You really should upgrade the code from the mysql extension to mysqli or PDO, and then use parametrized queries. The mysql extension was deprecated years ago, and has been removed entirely from PHP 7.

But if you're still using this extension, you can do:

$user_esc = mysql_real_escape_string($user);
$sql = "SELECT * FROM wallets WHERE id = '$user_esc' LIMIT 1";

answered Apr 30 '19 at 21:26

Barmar

741,623
53
500
612

I suppose people would be more willing to upvote, if you showed an example of the proper way to do it without archaic functions. – Dharman Apr 30 '19 at 22:02

mysql_real_escape_string() function for $user In PhP script, swears demanding to do how to fix it?

1 Answers1