mysql_real_escape_string() is not escaping anything

StackOverflow https://stackoverflow.com/questions/4357340

Question

  1. would I need to use real escape in both my INSERT and SELECT FROM statements?

  2. why the syntax I'm using in the following example isn't working (It's just one of the many ways I've tried)?

    //insert user input for word 1
$sql = "INSERT INTO test (Word1, Word2, Word3, Word4, Word5)
VALUES('$Word1','$Word2','$Word3','$Word4','$Word5')",
mysql_real_escape_string($Word1),
mysql_real_escape_string($Word2),
mysql_real_escape_string($Word3),
mysql_real_escape_string($Word4),
mysql_real_escape_string($Word5);
if(!mysql_query($sql,$con))
{
  die('Error: ' . mysql_error());
}
Was it helpful?

Solution

I highly recommend that you avoid escaping altogether, and move directly to prepared statements with mysqli::prepare, perhaps via PDO. It's ultimately simpler and safer:

$dsn = 'mysql:dbname=test;host=127.0.0.1';
$user = 'dbuser';
$password = 'dbpass';

$dbh = new PDO($dsn, $user, $password);

$sql =
    'INSERT INTO mytable ' .
    '(Word1, Word2, Word3, Word4, Word5)' .
    'VALUES(?, ?, ?, ?, ?)';

$stmt = $dbh->prepare($sql);

$words = array('word1', 'word2', 'word3', 'word4', 'word5');
$stmt->execute($words);

$words = array('word6', 'word7', 'word8', 'word9', 'word10');
$stmt->execute($words);

OTHER TIPS

It looks like you are trying to use sprintf(), to do so properly you need to reformat your code a little:

$sql = sprintf("INSERT INTO test (Word1, Word2, Word3, Word4, Word5)
VALUES('%s','%s','%s','%s','%s')",
mysql_real_escape_string($Word1),
mysql_real_escape_string($Word2),
mysql_real_escape_string($Word3),
mysql_real_escape_string($Word4),
mysql_real_escape_string($Word5)
);
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top