fingerprn Posted August 27, 2007 Share Posted August 27, 2007 I'm trying to harden a dating script and I noticed that it was originally written using the deprecated "mysql_escape_string". Can I just do a search/replace to all of the pages and replace "mysql_escape_string" with "mysql_real_escape_string", or it there more to it? I tested it on one page and I didn't get any errors, however, I realize that doesn't necessary mean it's protecting me from SQL injections. Thanks in advance. Link to comment https://forums.phpfreaks.com/topic/66809-question-about-replacing-mysql_escape_string/ Share on other sites More sharing options...
chronister Posted August 27, 2007 Share Posted August 27, 2007 just doing a search & replace should not give ya any errors or problems as long as you are only replacing mysql_escape_string with mysql_real_escape_string nate Link to comment https://forums.phpfreaks.com/topic/66809-question-about-replacing-mysql_escape_string/#findComment-334871 Share on other sites More sharing options...
Jessica Posted August 27, 2007 Share Posted August 27, 2007 As the manual says: This function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting. The only potential problem I see is if in the current code mysql_escape_string() is called when there is no connection to the DB, it will fail. If that is not a possible problem, switch them all over! Link to comment https://forums.phpfreaks.com/topic/66809-question-about-replacing-mysql_escape_string/#findComment-334882 Share on other sites More sharing options...
trq Posted August 27, 2007 Share Posted August 27, 2007 sed -i -e 's/mysql_escape_string/mysql_real_escape_string/' *.php Link to comment https://forums.phpfreaks.com/topic/66809-question-about-replacing-mysql_escape_string/#findComment-334887 Share on other sites More sharing options...
Jessica Posted August 27, 2007 Share Posted August 27, 2007 I don't think he's asking how to, I think he's asking if it will cause any problems with the code. Link to comment https://forums.phpfreaks.com/topic/66809-question-about-replacing-mysql_escape_string/#findComment-334889 Share on other sites More sharing options...
fingerprn Posted August 27, 2007 Author Share Posted August 27, 2007 Thanks!!! I thought I could do it, but the examples were a little different, so I thought maybe I was missing something. Also, I couldn't help but wonder why, instead of creating a creating a whole new function, they didn't just expand the capabilities of mysql_escape_string. I sure the reason was because a due to the connection issue, but I'd be surprised if anyone would use this without a db connection anyway. Thanks again! Link to comment https://forums.phpfreaks.com/topic/66809-question-about-replacing-mysql_escape_string/#findComment-334923 Share on other sites More sharing options...
Jessica Posted August 27, 2007 Share Posted August 27, 2007 I wondered the same thing and I think it's because of the connection thing. People do silly things Link to comment https://forums.phpfreaks.com/topic/66809-question-about-replacing-mysql_escape_string/#findComment-334925 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.