Question about replacing mysql_escape_string

[fingerprn]

I'm trying to harden a dating script and I noticed that it was originally written using the deprecated "mysql_escape_string".

 

Can I just do a search/replace to all of the pages and replace "mysql_escape_string" with "mysql_real_escape_string", or it there more to it? I tested it on one page and I didn't get any errors, however, I realize that doesn't necessary mean it's protecting me from SQL injections.

 

Thanks in advance. 

 

[chronister]

just doing a search & replace should not give ya any errors or problems as long as you are only replacing mysql_escape_string with mysql_real_escape_string

 

nate

[Jessica]

As the manual says:

 

This function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting.

 

The only potential problem I see is if in the current code mysql_escape_string() is called when there is no connection to the DB, it will fail. If that is not a possible problem, switch them all over!

[trq]

sed -i -e 's/mysql_escape_string/mysql_real_escape_string/' *.php

[Jessica]

I don't think he's asking how to, I think he's asking if it will cause any problems with the code.

[fingerprn]

Thanks!!! I thought I could do it, but the examples were a little different, so I thought maybe I was missing something. Also, I couldn't help but wonder why, instead of creating a creating a whole new function, they didn't just expand the capabilities of mysql_escape_string. I sure the reason was because a due to the connection issue, but I'd be surprised if anyone would use this without a db connection anyway.

 

Thanks again!

[Jessica]

I wondered the same thing and I think it's because of the connection thing. People do silly things