cunoodle2 Posted May 20, 2009 Share Posted May 20, 2009 Is it even necessary/possible to use mysql_real_escape_string() with PDO statments? I'm going through some older code and updating everything from old school mysql connections to that of using PDO statements. Is it even necessairy to use mysql_real_escape_string() with PDO? Help is appreciated. I've written a ton of php code but the PDO stuff is all new to me. Quote Link to comment Share on other sites More sharing options...
radi8 Posted May 20, 2009 Share Posted May 20, 2009 I am sure it does not hurt. It looks like PDO is a wrapper class facilitating connection to a database. If your database is mysql, then using mysql_real_escape_string would be ok. Quote Link to comment Share on other sites More sharing options...
radi8 Posted May 20, 2009 Share Posted May 20, 2009 For a mysql databse, this appears to be a valid command sequence for PDO since the mysql_real_escape_string() prepares the string so that mysql doesn't barf on the value: <?php <?php $color='red'; $cal=150; /* Execute a prepared statement by passing an array of values */ $sth = $dbh->prepare('SELECT name, colour, calories FROM fruit WHERE calories < ? AND colour = ?'); $sth->execute(array(150, mysql_real_escape_string($color)); $red = $sth->fetchAll(); ?> ?> Quote Link to comment Share on other sites More sharing options...
cunoodle2 Posted May 20, 2009 Author Share Posted May 20, 2009 Yeah I too was able to get it to work directly in a statement like that. The issue that I was having was like having the mysql_real_escape_string() in part of a "clean" function where I could pass items to it and have the clean function handle it. Does anyone know how this is possible? It for some reason needs a DB connection in order to escape everything and I'm not sure. Here is my DB connection code.. <?php // connect with listening statement (can only do select statements) $listen = new PDO('mysql:host=localhost;dbname=db_name', 'db-user', 'db_pass'); ?> How would I go about creating a connection to the above in the middle of a clean function like this.. <?php function clean($text) { return (mysql_real_escape_string($text)); } ?> The only way I'm aware I could call my PDO connection would be through a prepare statement like this.. <?php $stmt = $listen->prepare("SELECT *....."); ?> Quote Link to comment Share on other sites More sharing options...
Philip Posted May 20, 2009 Share Posted May 20, 2009 If you use prepare you do not need to escape the quotes - however if you're using normal query you do. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.