1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 6:29 pm Apr 27, 2026

Forum Moderators: coopster

Message Too Old, No Replies

Is it OK to set a variable equal to mysql real escape string?

         

csdude55

7:33 pm on Mar 19, 2020 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



I'm not sure how to test this and can't find it on Google... is it acceptable to do this: 

$string = mysql_real_escape_string($dbh, $_GET['string']);

$query = sprintf("SELECT * FROM table WHERE column = '%s'",
 $string);

When I doing MATCH..AGAINST or INSERT..ON DUPLICATE KEY I have multiple %s that are the same thing, so I'm just not sure if it's marginally faster to just run mysqli_real_escape_string() one time, or if that's doing something weird that defeats the purpose. The fact that it uses $dbh as the first parameter makes me confused about how the whole process works.

w3dk

12:16 am on Mar 23, 2020 (gmt 0)

10+ Year Member Top Contributors Of The Month



Yes, you can assign the return value to a variable and use that - providing you are using it on the same database (same character encoding).

AFAIK, the only reason for the DB connection argument is to retrieve the charset used by the database in order to correctly escape the string.

Typo in your code example... "mysql_real..." should be "mysqli_real...". (?)
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 6:29 pm Apr 27, 2026