Welcome to WebmasterWorld Guest from 54.224.68.56

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Safest way to insert mysql data?

     
1:39 pm on Sep 20, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:June 10, 2008
posts: 1130
votes: 0


I used to use the mysql_real_escape function to insert data, but that just returns "" now. Is there a new function for this or something? Sorry, it's been a while since I've been in the php world.
3:56 pm on Sept 20, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Dec 13, 2009
posts:945
votes: 0


Have you connected to the database prior to calling mres? If you do not have an active connection, it'll return false and trigger an E_WARNING.
4:04 pm on Sept 20, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:June 10, 2008
posts: 1130
votes: 0


ahh, maybe that was my problem. Like I said, it's been a while. I've been spoiled by linq, visual studio, and .net. Just drag the table into my dbml file, then call the object and pass in stuff and hit call submitchanges. Just too damn easy.
2:05 pm on Sept 21, 2013 (gmt 0)

New User

joined:Sept 21, 2013
posts:4
votes: 0


A lot has changed over the past few years in PHP, including the deprecation of the mysql_ functions:

[php.net...]

The PHP team recommends using PDO for all new development. There's a lot of people who swear by Zend_Db and Doctrine, which layer on top of PDO's not quite perfect interface.

To see why something is broken, my go to is var_dump($somevar). It shows me the data type of the variable and the value of the variable, the former sometimes being incredibly useful for tracking down a bug. In your case, it would have shown a 'bool' as the data type.
6:14 pm on Sept 21, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:Dec 13, 2009
posts:945
votes: 0


To extend on best practices... For new developments, it is wise to have some very wide error reporting on:

error_reporting(E_ALL | E_STRICT);
ini_set('display_errors', 1);

You would have caught this error instantly without needing to come here if you'd had that active.
7:07 pm on Sept 21, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2006
posts: 3123
votes: 0


As hinted at, mysql_real_escape() should not return "" (an empty string) unless something else is wrong in your code. Nothing has changed in this respect.

However, whether you should be using mysql_real_escape() (part of the out-dated MySQL extension) is another matter. As mentioned above, PDO is the recommended extension these days. You can then use prepared queries which avoids the need to manually "mysql escape" anything.
10:06 am on Sept 22, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 7, 2003
posts:4783
votes: 0


If you want you can also use the mysqli (note the i) interface. It's a bit more familiar than the PDO stuff and it's not deprecated like the mysql one. It also supports prepared statements so you can get rid of all the escaping crap (if you use prepared statements to separate code from data).
1:11 pm on Sept 23, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:June 10, 2008
posts: 1130
votes: 0


Thanks, I had looked at mysqli, it's just tough to switch to a new one because I'll have to invest time in learning something new, and I don't really do that much with php now anyways. I'll probably use pdo though, thanks.
1:18 pm on Sept 23, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:June 10, 2008
posts: 1130
votes: 0


And just so I'm clear, do I need to do anything to user inputed data that goes into my queries to protect against injection attacks, or does the PDO class handle that on the back end?
1:21 pm on Sept 23, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:June 10, 2008
posts: 1130
votes: 0


And thanks, I had missed the ini set. I had set error reporting on but nothing was coming up. Forgot about the ini set. I guess I'm a lot more rusty than I thought.