cunoodle2 Posted May 20, 2009 Share Posted May 20, 2009 Is it even necessary/possible to use mysql_real_escape_string() with PDO statments? I'm going through some older code and updating everything from old school mysql connections to that of using PDO statements. Is it even necessairy to use mysql_real_escape_string() with PDO? Help is appreciated. I've written a ton of php code but the PDO stuff is all new to me. Link to comment https://forums.phpfreaks.com/topic/158933-question-mysql_real_escape_string-with-pdo-statements/ Share on other sites More sharing options...
radi8 Posted May 20, 2009 Share Posted May 20, 2009 I am sure it does not hurt. It looks like PDO is a wrapper class facilitating connection to a database. If your database is mysql, then using mysql_real_escape_string would be ok. Link to comment https://forums.phpfreaks.com/topic/158933-question-mysql_real_escape_string-with-pdo-statements/#findComment-838280 Share on other sites More sharing options...
radi8 Posted May 20, 2009 Share Posted May 20, 2009 For a mysql databse, this appears to be a valid command sequence for PDO since the mysql_real_escape_string() prepares the string so that mysql doesn't barf on the value: <?php <?php $color='red'; $cal=150; /* Execute a prepared statement by passing an array of values */ $sth = $dbh->prepare('SELECT name, colour, calories FROM fruit WHERE calories < ? AND colour = ?'); $sth->execute(array(150, mysql_real_escape_string($color)); $red = $sth->fetchAll(); ?> ?> Link to comment https://forums.phpfreaks.com/topic/158933-question-mysql_real_escape_string-with-pdo-statements/#findComment-838291 Share on other sites More sharing options...
cunoodle2 Posted May 20, 2009 Author Share Posted May 20, 2009 Yeah I too was able to get it to work directly in a statement like that. The issue that I was having was like having the mysql_real_escape_string() in part of a "clean" function where I could pass items to it and have the clean function handle it. Does anyone know how this is possible? It for some reason needs a DB connection in order to escape everything and I'm not sure. Here is my DB connection code.. <?php // connect with listening statement (can only do select statements) $listen = new PDO('mysql:host=localhost;dbname=db_name', 'db-user', 'db_pass'); ?> How would I go about creating a connection to the above in the middle of a clean function like this.. <?php function clean($text) { return (mysql_real_escape_string($text)); } ?> The only way I'm aware I could call my PDO connection would be through a prepare statement like this.. <?php $stmt = $listen->prepare("SELECT *....."); ?> Link to comment https://forums.phpfreaks.com/topic/158933-question-mysql_real_escape_string-with-pdo-statements/#findComment-838334 Share on other sites More sharing options...
Philip Posted May 20, 2009 Share Posted May 20, 2009 If you use prepare you do not need to escape the quotes - however if you're using normal query you do. Link to comment https://forums.phpfreaks.com/topic/158933-question-mysql_real_escape_string-with-pdo-statements/#findComment-838341 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.