Should I use mysqli_real_escape string() or mysql_real_escape_string() for form data? [duplicate]

Possible Duplicate:
mysql_escape_string VS mysql_real_escape_string

I need to get company_name (given by user through a form) entered into my mysql database. When I use

$company = mysqli_real_escape_string($_POST['company_name'])

I get an error

Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in /opt/lampp/htdocs/Abacus-Version-2/admin/Company/insert_company.php on line 58

But everything seems to fine while using

$company = mysql_real_escape_string($_POST['company_name'])

What can I do in such cases?

4

6 Answers

The one to use depends on whether you are using the MySQLi extension or the MySQL extension

// procedural mysqli
$db = new mysqli;
$sql = sprintf("INSERT INTO table (id,name,email,comment) VALUES (NULL,'%s','%s','%s')", mysqli_real_escape_string($db,$name), mysqli_real_escape_string($db,$email), mysqli_real_escape_string($db,$comment) );
// mysql
$conn = mysql_connect();
$sql = sprintf("INSERT INTO table (id,name,email,comment) VALUES (NULL,'%s','%s','%s')", mysql_real_escape_string($name,$conn), mysql_real_escape_string($email,$conn), mysql_real_escape_string($comment,$conn) ); 
5

mysql_real_escape_string() is designed to make data safe for insertion into the database without errors. (IE such as escaping slashes so that it doesn't break your code).

You should use mysql_ or mysqli_ functions to match your connection string. "mysqli" is the object oriented implementation of the mysql set of functions, so the functions are called in the object oriented style. "mysql" is procedural. I'd suggest changing over to "mysqli" because I believe there has been talk of depreciating the "mysql" functions in future versions.

If you connection string is:

mysql_connect()

then use:

mysql_real_escape_string($_POST[''])

If it is:

$mysqli = new mysqli();

then use:

$mysqli->real_escape_string($_POST[''])
4

Definitely NO

Both functions has nothing to do with form data.
They have to be used to format string literals inserted into SQL query only.
This function belongs to the SQL query, not to whatever form. And even to very limited part of the query - a string literal.

So, every time you're going to insert into query a string literal (frankly, a portion of data enclosed in quotes), this function ought to be used unconditionally.
For the any other case it shouldn't be used at all.

As for the error you're getting - it's pretty self-explanatory: this function expects 2 parameters, not one. Just pass proper parameters as stated in the manual page for this function, and you'll be okay

2

It should be this if you use Procedural style:

$city = mysqli_real_escape_string($link, $city);

where link is the connection

or this when you use Object oriented style:

$city = $mysqli->real_escape_string($city);

Check out the php manual:

3

Since all the MySQL extension is being deprecated, you'd best use the MySQLi methods instead, it's more future proof.

Both variants are fine* (Please look at my Update).

When you are using a mysql_connect then you should stick to mysql_real_escape_string() and also pass the connection handle.

When you are using a mysqli_connect then you should stick to mysqli_real_escape_string().

UPDATE

As pointed out by Jeffrey in the comments, using mysql_ functions is NOT fine. I agree to that. I was just pointing out, that you need to use the function that is used by the MySQL-extension you are using.

It came to me, that it was not the question, which MySQL-extension to use, but which function for escaping data.

If you ask me:

  • Use mysqli or PDO, because mysql is not recommendable and deprecated.
  • Pass the Connection Handle to the escape-function or better
  • use prepared Statements (PDO-Style)
3

You Might Also Like