Stack Overflow
Stack Overflow

Questions tagged [mysql-real-escape-string]

A PHP function that escapes special characters in a string for use in an SQL statement. This function has been deprecated and should not be used in new code.

mysql_real_escape_string is a PHP function which is used to escape special characters in SQL string literals, aiming to produce a correct string literal that can be safely used in an SQL statement, without the danger of breaking the query, causing an error or injection.

This should be used for string literals only.

This function is already deprecated, along with the rest of the mysql extension.

The mysql extension has been replaced by the mysqli extension and the PDO library. Both of these have their own escaping functions, but they also both support prepared statements (mysqli, PDO), which should be used instead of manual escaping.

Related tag

375 questions
95
votes
4 answers

Alternative to mysql_real_escape_string without connecting to DB

I'd like to have a function behaving as mysql_real_escape_string without connecting to database as at times I need to do dry testing without DB connection. mysql_escape_string is deprecated and therefore is undesirable. Some of my…
Viet
  • 17,944
  • 33
  • 103
  • 135
61
votes
4 answers

mysql_escape_string VS mysql_real_escape_string

I know that mysql_escape_string is deprecated from 5.3 but what was the actual difference in mysql_real_escape_string. What I thought was that mysql_real_escape_string is the exact same as mysql_escape_string apart from mysql_real_escape_string…
RobertPitt
  • 56,863
  • 21
  • 114
  • 161
47
votes
6 answers

Why is PDO better for escaping MySQL queries/querystrings than mysql_real_escape_string?

I've been told that I'd be better using PDO for MySQL escaping, rather than mysql_real_escape_string. Maybe I'm having a brain-dead day (or it may be the fact I'm by no stretch of the imagination a natural programmer, and I'm still very much at the…
BlissC
  • 841
  • 3
  • 14
  • 18
17
votes
3 answers

Do I have to use mysql_real_escape_string if I bind parameters?

I have the following code: function dbPublish($status) { global $dbcon, $dbtable; if(isset($_GET['itemId'])) { $sqlQuery = 'UPDATE ' . $dbtable . ' SET active = ? WHERE id = ?'; $stmt = $dbcon->prepare($sqlQuery); $stmt->bind_param('ii',…
Babak
  • 279
  • 1
  • 7
  • 16
17
votes
3 answers

PHP mysql_real_escape_string() -> stripslashes() leaving multiple slashes

I'm having issues escaping/stripping strings with PHP/MySQL - there always seems to be redundant slashes. Let's take the following string as an example: underline When adding a string to the…
teaforchris
  • 1,327
  • 1
  • 11
  • 19
13
votes
9 answers

Decoding mysql_real_escape_string() for outputting HTML

I'm trying to protect myself from sql injection and am using: mysql_real_escape_string($string); When posting HTML it looks something like this:

Peter Craig
  • 7,101
  • 19
  • 59
  • 74
13
votes
9 answers

mysql_real_escape_string() leaving slashes in MySQL

I just moved to a new hosting company and now whenever a string gets escaped using: mysql_real_escape_string($str); the slashes remain in the database. This is the first time I've ever seen this happen so none of my scripts…
Eric Lamb
  • 1,444
  • 5
  • 17
  • 29
12
votes
2 answers

Is mysql_real_escape_string vulnerable to invalid UTF-8 exploitation eg overlong UTF-8 or ill formed UTF-8 sequences?

Assuming I have my database set up as follows to use utf-8 (the full 4mb version in mysql) mysql_query("SET CHARACTER SET utf8mb4"); mysql_query("SET NAMES utf8mb4"); I am using mysql_real_escape_string to escape unwanted characters before putting…
Hard worker
  • 3,916
  • 5
  • 44
  • 73
12
votes
6 answers

Should I use mysqli_real_escape string() or mysql_real_escape_string() for form data?

Possible Duplicate: mysql_escape_string VS mysql_real_escape_string I need to get company_name (given by user through a form) entered into my mysql database. When I use $company = mysqli_real_escape_string($_POST['company_name']) I get an…
user1629766
  • 157
  • 1
  • 1
  • 6
12
votes
2 answers

Shortcomings of mysql_real_escape_string?

I have seen a few people on here state that concatenating queries using mysql_real_escape_string will not protect you (entirely) from SQL injection attacks. However, I am yet to see an example of input that illustrates an attack that…
Mitch Satchwell
  • 4,770
  • 2
  • 24
  • 31
11
votes
6 answers

PHP mysql_real_escape_string returns empty string

I'm trying to work a bit of security and sanitization into my databases application (for a class). to start off with, i'm trying to use mysql_real_escape_string, but whenever i use it, it always returns an empty string! Here's the connection…
Drake
  • 433
  • 2
  • 7
  • 17
10
votes
5 answers

mysql_real_escape_string() just makes an empty string?

I am using a jQuery AJAX request to a page called like.php that connects to my database and inserts a row. This is the like.php code:
VIVA LA NWO
  • 3,852
  • 6
  • 24
  • 21
9
votes
9 answers

mysql_real_escape_string and ’

I'm using mysql_real_escape_string to escape a string before inserting it into my mysql database. Everything's working fine, except that the character ’ is getting missed and turned into ’ by mysql. What can I do to get solve the problem?…
significance
  • 4,797
  • 8
  • 38
  • 57
9
votes
2 answers

Escaping a string with quotes in Laravel

I would like to insert the content of an excel file into my database. I simply use a raw query to achieve this. The controller function public function uploadExcel() { $filename = Input::file('import_file')->getRealPath(); $file =…
Schwesi
  • 4,753
  • 8
  • 37
  • 62
9
votes
5 answers

Is there an equivalent of PHP's mysql_real_escape_string() for Perl's DBI?

Could some tell me if there is a function which works the same as PHP's mysql_real_escape_string() for Perl from the DBI module?
Phil Jackson
  • 10,238
  • 23
  • 96
  • 130
1
2 3
24 25