Can I use "mysql_real_escape_string" in site "mysqli_connect"?

3

Can I use the mysql_real_escape_string function on a site built in mysqli_connect ? And if so does it make any difference or would the protection be less?

Or should I use mysqli_escape_string ? Because when I put mysqli_escape_string it gave some errors when it was to make a mysqli_query ..

mysqli_escape_string() expects exactly 2 parameters, 1 given in ....

BUT when using mysql_escape_string it returns

mysql_escape_string(): This function is deprecated; use mysql_real_escape_string()

In each case should you use mysql_real_escape_string ?

    
asked by anonymous 10.12.2015 / 13:20

3 answers

2

Reasons why you should not use the mysql_ functions, are obsolete, removed from php7, need a mysql _ connection to work, and does not solve sql injections because resolve this use prepared statements.

  

mysqli_escape_string () expects exactly 2 parameters, 1 given in

Using the procedural style of mysqli ALMOST ALWAYS the first argument of the function is connection.

  

string mysqli_real_escape_string (mysqli $ link, string $ escapestr)

Recommended Reading:

Why should not we use functions of type mysql_ *?

How to prevent SQL injection in my PHP code

Select with prepared statements MySQLi

Manual - mysqli_real_escape_string

    
10.12.2015 / 13:29
3

No, do not use! The mysql_real_escape_string function is deprecated.

The right thing would be to use:

$anything = mysqli_real_escape_string($conexao, $_POST['variavel']);
    
10.12.2015 / 13:35
-1

Dude, learn and use the PDO. PHP 7 has already been released, making all mysql_ * functions obsolete, making legacy code incompatible. One hour you will have to deal with this problem. The PDO has a method called bindValue that solves this problem for you.

    
10.12.2015 / 14:04