mysql_escape_string VS mysql_real_escape_string

by

The difference is that mysql_escape_string just treats the string as raw bytes, and adds escaping where it believes it’s appropriate.

mysql_real_escape_string, on the other hand, uses the information about the character set used for the MySQL connection. This means the string is escaped while treating multi-byte characters properly; i.e., it won’t insert escaping characters in the middle of a character. This is why you need a connection for mysql_real_escape_string; it’s necessary in order to know how the string should be treated.

However, instead of escaping, it’s a better idea to use parameterized queries from the MySQLi library; there has previously been bugs in the escaping routine, and it’s possible that some could appear again. Parameterizing the query is much, much harder to mess up, so it’s less likely that you can get compromised by a MySQL bug.

More Related Contents:

  1. Why is PDO better for escaping MySQL queries/querystrings than mysql_real_escape_string?
  2. Prevent PHP parsing in strings [closed]
  3. Pass a PHP string to a JavaScript variable (and escape newlines) [duplicate]
  4. How to decode Unicode escape sequences like “\u00ed” to proper UTF-8 encoded characters?
  5. How to escape strings in SQL Server using PHP?
  6. Is there a PHP function that can escape regex patterns before they are applied?
  7. What does it mean to escape a string?
  8. Is mysql_real_escape_string() broken?
  9. Dollar ($) sign in password string treated as variable
  10. Escaping MySQL wild cards
  11. Escaping single quote in PHP when inserting into MySQL [duplicate]
  12. How to search for slash (\) in MySQL? and why escaping (\) not required for where (=) but for Like is required?
  13. Shortcomings of mysql_real_escape_string?
  14. With “magic quotes” disabled, why does PHP/WordPress continue to auto-escape my POST data?
  15. Alternative to mysql_real_escape_string without connecting to DB
  16. How do I escape only single quotes?
  17. preg_replace: add number after backreference
  18. Escape string to use in mail()
  19. PHP sprintf escaping %
  20. What literal characters should be escaped in a regex?
  21. PHP quotes inside quotes
  22. HTML,PHP – Escape ” symbols while echoing
  23. Do I need to escape backslashes in PHP?
  24. Pass a PHP variable to a JavaScript variable
  25. PHP mysql_real_escape_string() -> stripslashes() leaving multiple slashes
  26. Do I have to use mysql_real_escape_string if I bind parameters?
  27. Escaping CURL @ symbol with PHP
  28. Should I use mysqli_real_escape_string or should I use prepared statements? [duplicate]
  29. PHP: Escape RegEx pattern to prevent being applied?
  30. How to safely output HTML from a PHP program?

Leave a Comment