Mysql_escape_string VS mysql_real_escape_string

Question

Mysql_escape_string VS mysql_real_escape_string

So this is what we all should know about, and played on the mind when I first saw it.

I know mysql_escape_string deprecated from 5.3, but what was the actual difference in mysql_real_escape_string .

I thought mysql_real_escape_string is the same as mysql_escape_string , except mysql_real_escape_string accepts the second argument for the mysql resource.

so then I thought it should be a little stupid, there should be some difference in how the lines are processed, because there would be no need for two functions.

So, I thought that the difference boils down to language and character encodings.

can anyone clarify this for me?

+47

php escaping mysql-real-escape-string

RobertPitt Sep 08 2018-10-10T00:

source share

4 answers

mysql_escape_string not deprecated from 5.3, but for 4.3.0 and higher. Therefore, anyone using the PHP version above / or 4.3.0 should use mysql_real_escape_string .

if you use php < 4.3.0 , than make your magic_quotes_gpc active of php.ini, although it is recommended to update it, but if your code will have problems, besides that you use the magic_quotes_gpc and addslash function, not mysql_escape_string .

+3

Rocky Sharma Aug 29 2018-11-11T00:

source share

Well ... sort of, yes. It takes into account the MySQL character set.

http://php.net/mysql_escape_string

This function is identical to mysql_real_escape_string() , except that mysql_real_escape_string() accepts a connection handler and preempts the string according to the current character set. mysql_escape_string() does not accept a connection argument and does not take into account the current encoding setting.

+2

deceze Sep 08 2018-10-10T00:

source share

now both of these functions are deprecated in

PHP 4> = 4.3.0 and PHP 5. They recommend using the PDO_MySQL extension

+1

Jeff_Alieffson Jun 26 '13 at 2:25

source share

Michael Madsen · Accepted Answer · 2010-09-08 07:51

The difference is that mysql_escape_string simply treats the string as raw bytes and adds an escape code where it sees fit.

mysql_real_escape_string , on the other hand, uses the character set information used to connect MySQL. This means that the string is processed when processing multi-byte characters; that is, it will not insert escape characters in the middle of the character. That is why you need a connection for mysql_real_escape_string ; this is necessary in order to know how to process the string.

However, instead of escaping, it is better to use parameterized queries from the MySQLi library; Previously there were errors in the shielding method, and it is possible that some may appear again. Query parameterization is much more complicated, so you are unlikely to be able to compromise the MySQL error.

Mysql_escape_string VS mysql_real_escape_string

More articles: