Forums

The forums ran from 2008-2020 and are now closed and viewable here as an archive.

Home Forums JavaScript Do we need mysql_real_escape_string when we use mysqli ?

  • This topic is empty.
Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • May 13, 2013 at 12:42 am #44734
    amis
    Participant

    hi there

    Do we need mysql_real_escape_string when we use mysqli ?

    May 13, 2013 at 12:49 am #134874
    unasAquila
    Participant

    with mysqli it would be

    object oriented

    $checkVar = $mysqli->real_escape_string($checkVar);

    or proceduraly

    $checkVar = mysqli_real_escape_string($dbConnection, $checkVar );

    either way it’s always good to do as much security testing as possible.

    May 13, 2013 at 12:58 am #134876
    __
    Participant

    more specifically, **no**, do not use `mysql_real_escape_string()` with ext/mysqli.

    You cannot mix the `mysql_*()` functions with `mysql`**`i`** (functional or object-oriented styles). It may or may not throw any errors, but it will not do anything useful (and may even *open* security holes by making you *think* your data is escaped when it is not).

    A better option with mysqli is to use [prepared statements](http://php.net/mysqli.prepare): this way, you don’t have to worry about escaping data at all. MySQL will do it for you.

  • Author
    Posts
Viewing 3 posts - 1 through 3 (of 3 total)
  • The forum ‘JavaScript’ is closed to new topics and replies.