homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

Safest way to insert mysql data?

 1:39 pm on Sep 20, 2013 (gmt 0)

I used to use the mysql_real_escape function to insert data, but that just returns "" now. Is there a new function for this or something? Sorry, it's been a while since I've been in the php world.



 3:56 pm on Sep 20, 2013 (gmt 0)

Have you connected to the database prior to calling mres? If you do not have an active connection, it'll return false and trigger an E_WARNING.


 4:04 pm on Sep 20, 2013 (gmt 0)

ahh, maybe that was my problem. Like I said, it's been a while. I've been spoiled by linq, visual studio, and .net. Just drag the table into my dbml file, then call the object and pass in stuff and hit call submitchanges. Just too damn easy.


 2:05 pm on Sep 21, 2013 (gmt 0)

A lot has changed over the past few years in PHP, including the deprecation of the mysql_ functions:


The PHP team recommends using PDO for all new development. There's a lot of people who swear by Zend_Db and Doctrine, which layer on top of PDO's not quite perfect interface.

To see why something is broken, my go to is var_dump($somevar). It shows me the data type of the variable and the value of the variable, the former sometimes being incredibly useful for tracking down a bug. In your case, it would have shown a 'bool' as the data type.


 6:14 pm on Sep 21, 2013 (gmt 0)

To extend on best practices... For new developments, it is wise to have some very wide error reporting on:

error_reporting(E_ALL | E_STRICT);
ini_set('display_errors', 1);

You would have caught this error instantly without needing to come here if you'd had that active.


 7:07 pm on Sep 21, 2013 (gmt 0)

As hinted at, mysql_real_escape() should not return "" (an empty string) unless something else is wrong in your code. Nothing has changed in this respect.

However, whether you should be using mysql_real_escape() (part of the out-dated MySQL extension) is another matter. As mentioned above, PDO is the recommended extension these days. You can then use prepared queries which avoids the need to manually "mysql escape" anything.


 10:06 am on Sep 22, 2013 (gmt 0)

If you want you can also use the mysqli (note the i) interface. It's a bit more familiar than the PDO stuff and it's not deprecated like the mysql one. It also supports prepared statements so you can get rid of all the escaping crap (if you use prepared statements to separate code from data).


 1:11 pm on Sep 23, 2013 (gmt 0)

Thanks, I had looked at mysqli, it's just tough to switch to a new one because I'll have to invest time in learning something new, and I don't really do that much with php now anyways. I'll probably use pdo though, thanks.


 1:18 pm on Sep 23, 2013 (gmt 0)

And just so I'm clear, do I need to do anything to user inputed data that goes into my queries to protect against injection attacks, or does the PDO class handle that on the back end?


 1:21 pm on Sep 23, 2013 (gmt 0)

And thanks, I had missed the ini set. I had set error reporting on but nothing was coming up. Forgot about the ini set. I guess I'm a lot more rusty than I thought.

Global Options:
 top home search open messages active posts  

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved