fingerprn Posted August 27, 2007 Share Posted August 27, 2007 I'm trying to harden a dating script and I noticed that it was originally written using the deprecated "mysql_escape_string". Can I just do a search/replace to all of the pages and replace "mysql_escape_string" with "mysql_real_escape_string", or it there more to it? I tested it on one page and I didn't get any errors, however, I realize that doesn't necessary mean it's protecting me from SQL injections. Thanks in advance. Quote Link to comment https://forums.phpfreaks.com/topic/66809-question-about-replacing-mysql_escape_string/ Share on other sites More sharing options...
chronister Posted August 27, 2007 Share Posted August 27, 2007 just doing a search & replace should not give ya any errors or problems as long as you are only replacing mysql_escape_string with mysql_real_escape_string nate Quote Link to comment https://forums.phpfreaks.com/topic/66809-question-about-replacing-mysql_escape_string/#findComment-334871 Share on other sites More sharing options...
Jessica Posted August 27, 2007 Share Posted August 27, 2007 As the manual says: This function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting. The only potential problem I see is if in the current code mysql_escape_string() is called when there is no connection to the DB, it will fail. If that is not a possible problem, switch them all over! Quote Link to comment https://forums.phpfreaks.com/topic/66809-question-about-replacing-mysql_escape_string/#findComment-334882 Share on other sites More sharing options...
trq Posted August 27, 2007 Share Posted August 27, 2007 sed -i -e 's/mysql_escape_string/mysql_real_escape_string/' *.php Quote Link to comment https://forums.phpfreaks.com/topic/66809-question-about-replacing-mysql_escape_string/#findComment-334887 Share on other sites More sharing options...
Jessica Posted August 27, 2007 Share Posted August 27, 2007 I don't think he's asking how to, I think he's asking if it will cause any problems with the code. Quote Link to comment https://forums.phpfreaks.com/topic/66809-question-about-replacing-mysql_escape_string/#findComment-334889 Share on other sites More sharing options...
fingerprn Posted August 27, 2007 Author Share Posted August 27, 2007 Thanks!!! I thought I could do it, but the examples were a little different, so I thought maybe I was missing something. Also, I couldn't help but wonder why, instead of creating a creating a whole new function, they didn't just expand the capabilities of mysql_escape_string. I sure the reason was because a due to the connection issue, but I'd be surprised if anyone would use this without a db connection anyway. Thanks again! Quote Link to comment https://forums.phpfreaks.com/topic/66809-question-about-replacing-mysql_escape_string/#findComment-334923 Share on other sites More sharing options...
Jessica Posted August 27, 2007 Share Posted August 27, 2007 I wondered the same thing and I think it's because of the connection thing. People do silly things Quote Link to comment https://forums.phpfreaks.com/topic/66809-question-about-replacing-mysql_escape_string/#findComment-334925 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.