-2

What is the equivalent of the below in SQL?

PHP function for MySQL:

mysqli_real_escape_string($POST['password']);
msturdy
  • 10,479
  • 11
  • 41
  • 52
LCDesign Cambridge
  • 144
  • 2
  • 11

1 Answers1

1

Escaping is done to prepare a SQL statement correctly. There is no equivalent in MySQL because by the time it hits that layer it should have been escaped in the first place.

Using mysqli_real_escape_string is also a sign you're doing something incorrectly as you should be using the bind_param method instead of this kind of super low-level call.

tadman
  • 208,517
  • 23
  • 234
  • 262
  • 1
    `mysqli_real_escape_string` is **not** 'doing something incorrectly'. Prepared Statements are one approach to securing SQL, but they are not a silver bullet. Prepared statements carry a performance overhead in many uses, and do not support some useful syntax variations. `mysqli_real_eascape_string` is a valid method of escaping SQL inputs. The important thing is to ensure the security of your SQL. Insisting that prepared statements is the only 'correct' way is just lazy thinking. –  Jul 19 '13 at 15:43
  • @Mike Amen! `*_real_escape_string` works just fine *if applied correctly!* – deceze Jul 19 '13 at 15:49
  • 2
    The number of disastrously bad code examples I've seen here suggest that most people don't understand how to use any of the `escape_string` functions correctly or, more importantly, consistently. What's the performance overhead of placeholders? Is it even measurable? If so, why is PHP one of the few languages that makes a habit of calling low-level escaping functions? If PDO has a performance problem, then it should be fixed. Encouraging people to escape their own data without placeholders is not helping. – tadman Jul 19 '13 at 16:12