SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Evangelist
    Join Date
    Nov 2009
    Posts
    471
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    When to use mysqli_real_escape_string

    If I have a situation where the user will input a name such as a city and then I store that in a session variable and use it multiple times to create sql queries during the session, can I use mysqli_real_escape_string at the time I capture the city name the first time and put it in the session variable rather than using it every time I perform a query?

    Also, if I were to store that city name in a database for future use, if I use mysqli_real_escape_string before I store it in the database, can I then retrieve that city name in the future without using mysqli_real_escape_string again the next time I use it in a query?

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,869
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    If you use prepare statements then you will NEVER need to use mysqli_real_escape_string as prepare statements will ensure that the query and the data are completely separate and the data can't be used to inject code into the query instead of having to escape the data in order for SQL to be able to tell the difference.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Evangelist
    Join Date
    Nov 2009
    Posts
    471
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for the input. I am off studying the PDO now and plan to head that way so you are right, once I do that this point is moot. But definitely the way to go. Thanks again.

  4. #4
    SitePoint Evangelist
    Join Date
    Nov 2009
    Posts
    471
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Although one question regarding that whole subject.

    If I create a persistent connection to the database and prepare a query once, run and leave that php script, if I come back in, do I need to prepare it again or can I just use it since the connection is persistent?

    And is there a downside to a persistent connection?

    Thanks

  5. #5
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,869
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by bostboy View Post
    Thanks for the input. I am off studying the PDO now
    You don't need PDO if you are using mysqli because mysqli unlike mysql supports prepare statements directly.

    I recommend NOT creating a persistent connection to the database - it can cause lots of problems and provides almost no benefits.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  6. #6
    SitePoint Evangelist
    Join Date
    Nov 2009
    Posts
    471
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Got it. So there is no real advantage to using PDO in this case? I have no need for transactions and all the database stuff is pretty straight forward, selects, inserts, updates, etc.

    One more question, how do I prepare a select statement using an in statement when I build that in statement dynamically? Select * from tbl1 where fld1 in (x, x, x, x, x, x, x...) and I am not sure until runtime how many x's there will be. Thanks for the input.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •