Grow your CSS skills. Land your dream job.

Do we need mysql_real_escape_string when we use mysqli ?

  • # May 13, 2013 at 12:42 am

    hi there

    Do we need mysql_real_escape_string when we use mysqli ?

    # May 13, 2013 at 12:49 am

    with mysqli it would be

    object oriented

    $checkVar = $mysqli->real_escape_string($checkVar);

    or proceduraly

    $checkVar = mysqli_real_escape_string($dbConnection, $checkVar );

    either way it’s always good to do as much security testing as possible.

    __
    # May 13, 2013 at 12:58 am

    more specifically, **no**, do not use `mysql_real_escape_string()` with ext/mysqli.

    You cannot mix the `mysql_*()` functions with `mysql`**`i`** (functional or object-oriented styles). It may or may not throw any errors, but it will not do anything useful (and may even *open* security holes by making you *think* your data is escaped when it is not).

    A better option with mysqli is to use [prepared statements](http://php.net/mysqli.prepare): this way, you don’t have to worry about escaping data at all. MySQL will do it for you.

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

*May or may not contain any actual "CSS" or "Tricks".