What is the PDO equivalent of function mysql_real_escape_string?

Asked
Active3 hr before
Viewed126 times

7 Answers

function
90%

mysqli_real_escape_string(), mysql_​real_​escape_​string , mysql_​escape_​string ,Example #1 Simple mysql_real_escape_string() example

Warning: mysql_real_escape_string(): No such file or directory in /this/test / script.php on line 5
Warning: mysql_real_escape_string(): A link to the server could not be established in /this/test / script.php on line 5

bool(false)
string(41)
"SELECT * FROM actors WHERE last_name = ''"
load more v
88%

I am modifying my code from using mysql_* to PDO. In my code I had mysql_real_escape_string(). What is the equivalent of this in PDO?,If to answer the original question, then this is the PDO equivalent for mysql_real_escape_string:, 1 @samayo I don't know why I chose the words I did 4 years ago, but prepare()/execute() has always been the preferred method. PDO::quote() is hardly ever used in practice and isn't exactly equivalent to mysql_real_escape_string(). – Michael Berkowski Jun 30 '16 at 10:32 , 13 Technically there's PDO::quote() but this is the right answer and it isn't a direct equivalent of mysql_real_escape_string(). – Michael Berkowski Dec 23 '12 at 16:35

Below is an example of a safe database query using prepared statements (pdo)

  try {
     // first connect to database with the PDO object. 
     $db = new\ PDO("mysql:host=localhost;dbname=xxx;charset=utf8", "xxx", "xxx", [
        PDO::ATTR_EMULATE_PREPARES => false,
        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
     ]);
  } catch (\PDOException $e) {
     // if connection fails, show PDO error. 
     echo "Error connecting to mysql: ".$e - > getMessage();
  }

And, now assuming the connection is established, you can execute your query like this.

if ($_POST && isset($_POST['color'])) {

   // preparing a statement
   $stmt = $db - > prepare("SELECT id, name, color FROM Cars WHERE color = ?");

   // execute/run the statement. 
   $stmt - > execute(array($_POST['color']));

   // fetch the result. 
   $cars = $stmt - > fetchAll(\PDO::FETCH_ASSOC);
   var_dump($cars);
}

It is worth noting that you should pass a charset=utf8 as attribute, in your DSN as seen above, for security reasons, and always enable PDO to show errors in the form of exceptions.

PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
load more v
72%

Technically there is PDO::quote() but it is rarely ever used and is not the equivalent of mysql_real_escape_string(),There is none*! The object of PDO is that you don’t have to escape anything; you just send it as data. For example:,Last but not least, there are moments when you should not trust PDO 100%, and will be bound to take some extra measures to prevent sql injection, one of those cases is, if you are using an outdated versions of mysql [ mysql =< 5.3.6 ] as described in this answer,Now, as you can probably tell, I haven't used anything to escape/sanitize the value of $_POST["color"]. And this code is secure from myql-injection thanks to PDO and the power of prepared statements.

Below is an example of a safe database query using prepared statements (pdo)

  try {
     // first connect to database with the PDO object. 
     $db = new\ PDO("mysql:host=localhost;dbname=xxx;charset=utf8", "xxx", "xxx", [
        PDO::ATTR_EMULATE_PREPARES => false,
        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION
     ]);
  } catch (\PDOException $e) {
     // if connection fails, show PDO error. 
     echo "Error connecting to mysql: ".$e - > getMessage();
  }
load more v
65%

OK. Just started looking into PDO and converting my old mysql_connects to PDO. One thing I cant seem to find is if PDO has a method similar to mysql_real_escape_string. Does it even need one?,When you make the move over to PDO, use parameter binding instead of just concatenating strings together to make a statement.,use parameter binding instead of just concatenating strings together to make a statement.,There. Done! 100% working. I think I’ve just answered my own question though.

PDO->quote escapes a string, but as already mentioned, you rarely need it with PDO.
Bound parameters are indeed quite similar to sprintf. The usage is like:

$db = new PDO(...);
$stmt = $db - > prepare("SELECT * FROM foo where name = :name");
$stmt - > execute(array(':name' => $name));
foreach($stmt as $row) {
   var_dump($row);
}
load more v
75%

> before and an empty line after for a quote , 10.11.21 12:14Paresh for Using mysqli prepared statements with LIKE operator in SQL : Thank you so much. I searched for hours before I found your solution. In this piece of code,... read more ,The tragic fate of mysql_real_escape_string(),I am the only person to hold a gold badge in , and on Stack Overflow and I am eager to show the right way for PHP developers.

load more v
40%

maxeckel/livewire-editorjs Default config PHP | 3 months ago ,What is the PDO equivalent of function mysql_real_escape_string?

1.2.try {
      3. // first connect to database with the PDO object. 4.     $db = new \PDO("mysql:host=localhost;dbname=xxx;charset=utf8", "xxx", "xxx", [5.       PDO::ATTR_EMULATE_PREPARES => false, 6.       PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION7.     ]); 8. } catch(\PDOException $e){9.     // if connection fails, show PDO error. 10.   echo "Error connecting to mysql: " . $e->getMessage();11. }12.13.if($_POST && isset($_POST['color'])){ 14.15.    // preparing a statement16.    $stmt = $db->prepare("SELECT id, name, color FROM Cars WHERE color = ?");17.18.    // execute/run the statement. 19.    $stmt->execute(array($_POST['color']));20.21.    // fetch the result. 22.    $cars = $stmt->fetchAll(\PDO::FETCH_ASSOC); 23.    var_dump($cars); 24. }25.26.PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION27.
22%

Is there an SQL injection possibility even when using mysql_real_escape_string() function?,In PDO, both its equivalent function PDO::quote() and its prepared statement emulator call upon mysql_handle_quoter()—which does exactly this: it ensures that the escaped literal is quoted in single-quotes, so you can be certain that PDO is always immune from this bug.,use native prepared statements,Now, it's worth noting that you can prevent this by disabling emulated prepared statements:

Consider this sample situation. SQL is constructed in PHP like this:

$login = mysql_real_escape_string(GetFromPost('login'));
$password = mysql_real_escape_string(GetFromPost('password'));

$sql = "SELECT * FROM table WHERE login='$login' AND password='$password'";

Classic injections like this:

aaa ' OR 1=1 --
load more v

Other "function-undefined" queries related to "What is the PDO equivalent of function mysql_real_escape_string?"