Jump to content

Question about replacing mysql_escape_string


fingerprn

Recommended Posts

I'm trying to harden a dating script and I noticed that it was originally written using the deprecated "mysql_escape_string".

 

Can I just do a search/replace to all of the pages and replace "mysql_escape_string" with "mysql_real_escape_string", or it there more to it? I tested it on one page and I didn't get any errors, however, I realize that doesn't necessary mean it's protecting me from SQL injections.

 

Thanks in advance. 

 

As the manual says:

 

This function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting.

 

The only potential problem I see is if in the current code mysql_escape_string() is called when there is no connection to the DB, it will fail. If that is not a possible problem, switch them all over! :)

Thanks!!! I thought I could do it, but the examples were a little different, so I thought maybe I was missing something. Also, I couldn't help but wonder why, instead of creating a creating a whole new function, they didn't just expand the capabilities of mysql_escape_string. I sure the reason was because a due to the connection issue, but I'd be surprised if anyone would use this without a db connection anyway.

 

Thanks again!

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.