468,733 Members | 2,182 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,733 developers. It's quick & easy.

mysql_real_escape_string necessary when using prepared statements

It is by accident that I noticed that I forgot to use
mysql_real_escape_string in part of my webapp.
I tested input with following text : Hélène 51°56'12'' http://www.mysite.org/folder
3 functions worked correctly and 1 failed:
The one that failed didn't have mysql_real_escape_string and neither
did 2 of the ones that worked: in those 2 I used prepared sql
statements (PEAR DB package). The other that I used was with
mysql_real_escape_string.

So my question: can you do without mysql_real_escape_string when using
prepared sql statements with PEAR DB-package or PDO ?

For PDO apparently you can when you use quote() and prepared
statements.

Pugi

Aug 14 '07 #1
2 3057
Pugi! wrote:
It is by accident that I noticed that I forgot to use
mysql_real_escape_string in part of my webapp.
I tested input with following text : Hélène 51°56'12'' http://www.mysite.org/folder
3 functions worked correctly and 1 failed:
The one that failed didn't have mysql_real_escape_string and neither
did 2 of the ones that worked: in those 2 I used prepared sql
statements (PEAR DB package). The other that I used was with
mysql_real_escape_string.

So my question: can you do without mysql_real_escape_string when using
prepared sql statements with PEAR DB-package or PDO ?

For PDO apparently you can when you use quote() and prepared
statements.

Pugi
True, prepared statements don't need mysql_real_escape_string().

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
Aug 14 '07 #2
..oO(Pugi!)
>So my question: can you do without mysql_real_escape_string when using
prepared sql statements with PEAR DB-package or PDO ?
Yes. That's one reason for using prepared statements - you just tell the
DMBS what kind of data you will send to it, and the server itself takes
care of the proper encoding/escaping if necessary.
>For PDO apparently you can when you use quote() and prepared
statements.
Forget this method - it kinda defeats the purpose of prepared
statements. From the PDO->quote() manual:

| If you are using this function to build SQL statements, you are
| _strongly_ recommended to use PDO->prepare() to prepare SQL statements
| with bound parameters instead of using PDO->quote() to interpolate
| user input into a SQL statement. [...]

Micha
Aug 14 '07 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

2 posts views Thread by Marcus | last post: by
9 posts views Thread by frizzle | last post: by
2 posts views Thread by Cyril VELTER | last post: by
2 posts views Thread by comp.lang.php | last post: by
5 posts views Thread by vivek | last post: by
7 posts views Thread by Paul Furman | last post: by
13 posts views Thread by ndlarsen | last post: by
16 posts views Thread by thelma | last post: by
5 posts views Thread by Mandragon03 | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.