Can I use "mysql_real_escape_string" on "mysqli_connect" website?

Question

Can I use "mysql_real_escape_string" on "mysqli_connect" website?

Asked 8 years, 11 months ago

Viewed 2,513 times

3

I can use the function mysql_real_escape_string on a website built in mysqli_connect? And if yes makes a difference or the protection would be less?

Or should I use mysqli_escape_string? Because when I put the mysqli_escape_string made some mistakes when it went to make a mysqli_query..

mysqli_escape_string() expects exactly 2 parameters, 1 given in ....

BUT when using the mysql_escape_string he returns

mysql_escape_string(): This function is deprecated; use mysql_real_escape_string()

You should use mysql_real_escape_string?

3 answers

2

Reasons why mysql functions should not be used_, are obsolete, removed from php7, requires a mysql connection_ to work and does not solve the problem of sql injections because only escapes certain characters, to solve this use Prepared statements.

mysqli_escape_string() expects Exactly 2 Parameters, 1 Given in

When using the procedural style of mysqli ALMOST ALWAYS the first argument of the function is connection.

string mysqli_real_escape_string ( mysqli $link , string $escapestr )

Recommended Reading:

Why should we not use mysql type functions_*?

How to prevent SQL code injection into my PHP code

Select with Prepared statements Mysqli

Manual - mysqli_real_escape_string

always have to put the connection together? in my case >> $painel_log = mysqli_real_escape_string($conn, $_POST['painel_log']);

– Pedro Quezado

2015/12/10 at 12:39
@Pedroquezado, yes always, the second yellow line of the answer, shows the signature of the function and how many parameters you should pass when calling it.

– rray

2015/12/10 at 12:43

Browser other questions tagged php mysqli

You are not signed in. Login or sign up in order to post.

by Bia • **2,016** points · Answer 1 · 2015-12-10T12:35:20+00:00

3

No, do not use! The function mysql_real_escape_string is obsolete.

The right thing would be to use:

$anything = mysqli_real_escape_string($conexao, $_POST['variavel']);

always have to put the connection together? in my case >> $painel_log = mysqli_real_escape_string($conn, $_POST['painel_log']);

– Pedro Quezado

2015/12/10 at 12:37
@Pedroquezado When the mysqli functions are used the first argument is "always" the connection.

– Bia

2015/12/10 at 12:39
Ahhhhh entendiiii

– Pedro Quezado

2015/12/10 at 12:40
asauhsuhau VLWWW

– Pedro Quezado

2015/12/10 at 12:40

by Marcio Jalber • **705** points · Answer 2 · 2015-12-10T13:04:31+00:00

Dude, learn and use PDO. PHP 7 has already been released, which has rendered all the mysql_* functions obsolete, rendering legacy code incompatible. Eventually you will have to deal with this problem. PDO has a method called bindValue that solves this problem easily for you.