Welcome to WebmasterWorld Guest from 50.16.24.12

Forum Moderators: coopster & jatar k

Safest way to insert mysql data?

   
1:39 pm on Sep 20, 2013 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



I used to use the mysql_real_escape function to insert data, but that just returns "" now. Is there a new function for this or something? Sorry, it's been a while since I've been in the php world.
3:56 pm on Sep 20, 2013 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Have you connected to the database prior to calling mres? If you do not have an active connection, it'll return false and trigger an E_WARNING.
4:04 pm on Sep 20, 2013 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



ahh, maybe that was my problem. Like I said, it's been a while. I've been spoiled by linq, visual studio, and .net. Just drag the table into my dbml file, then call the object and pass in stuff and hit call submitchanges. Just too damn easy.
2:05 pm on Sep 21, 2013 (gmt 0)



A lot has changed over the past few years in PHP, including the deprecation of the mysql_ functions:

[php.net...]

The PHP team recommends using PDO for all new development. There's a lot of people who swear by Zend_Db and Doctrine, which layer on top of PDO's not quite perfect interface.

To see why something is broken, my go to is var_dump($somevar). It shows me the data type of the variable and the value of the variable, the former sometimes being incredibly useful for tracking down a bug. In your case, it would have shown a 'bool' as the data type.
6:14 pm on Sep 21, 2013 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



To extend on best practices... For new developments, it is wise to have some very wide error reporting on:

error_reporting(E_ALL | E_STRICT);
ini_set('display_errors', 1);

You would have caught this error instantly without needing to come here if you'd had that active.
7:07 pm on Sep 21, 2013 (gmt 0)

WebmasterWorld Senior Member penders is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



As hinted at, mysql_real_escape() should not return "" (an empty string) unless something else is wrong in your code. Nothing has changed in this respect.

However, whether you should be using mysql_real_escape() (part of the out-dated MySQL extension) is another matter. As mentioned above, PDO is the recommended extension these days. You can then use prepared queries which avoids the need to manually "mysql escape" anything.
10:06 am on Sep 22, 2013 (gmt 0)

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



If you want you can also use the mysqli (note the i) interface. It's a bit more familiar than the PDO stuff and it's not deprecated like the mysql one. It also supports prepared statements so you can get rid of all the escaping crap (if you use prepared statements to separate code from data).
1:11 pm on Sep 23, 2013 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Thanks, I had looked at mysqli, it's just tough to switch to a new one because I'll have to invest time in learning something new, and I don't really do that much with php now anyways. I'll probably use pdo though, thanks.
1:18 pm on Sep 23, 2013 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



And just so I'm clear, do I need to do anything to user inputed data that goes into my queries to protect against injection attacks, or does the PDO class handle that on the back end?
1:21 pm on Sep 23, 2013 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



And thanks, I had missed the ini set. I had set error reporting on but nothing was coming up. Forgot about the ini set. I guess I'm a lot more rusty than I thought.
 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved