Real escape string and PDO [duplicate]

Question

I'm using PDO after migrating away from the mysql library. What do I use in place of the old real_escape_string function?

I need to escape single quotes so they will go into my database and I think there may be a better way to handle this without add(ing) slashes to all my strings. What should I be using?

A bit late to the party, but you could use PDO::quote() if the prepare() method is not an option (for example, when you have build your own model) — Gerben Jacobs, Commented May 9, 2013 at 19:42

SteD · Accepted Answer · 2010-09-15 09:37:21Z

64

You should use PDO Prepare

From the link:

Calling PDO::prepare() and PDOStatement::execute() for statements that will be issued multiple times with different parameter values optimizes the performance of your application by allowing the driver to negotiate client and/or server side caching of the query plan and meta information, and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters.

answered Sep 15, 2010 at 9:37

SteD

14k13 gold badges66 silver badges76 bronze badges

Thanks SteD. I read that a while back but I have since heard that PDO prepare will NOT prevent against SQL injection. I'm not sure what to believe anymore. Are you certain that prepare will stop injection attacks?
– John
Commented Sep 15, 2010 at 9:39
4

PDO prevents SQL Injection. (It does not help prevent xss vunerabilities, but neither does mysql_real_escape)
– nos
Commented Sep 15, 2010 at 9:43
4

John: Yes, if you use it correctly, there's a good explanation by Bill in this post --> stackoverflow.com/questions/1314521/…
– SteD
Commented Sep 15, 2010 at 9:46
1

@SteD: Thanks, I'm reading it now.
– John
Commented Sep 15, 2010 at 9:50
8

There is no way any database layer can protect you against XSS, because that's an issue of page-output-time escaping and not anything to do with the database. Whilst many misguided authors do try to HTML-escape at the same time as SQL-escaping or over input values, this is the wrong time to address it and will typically result in incomplete protection as well as other nasty bugs.
– bobince
Commented Sep 15, 2010 at 9:56

| Show 6 more comments

Community · Accepted Answer · 2023-11-17 20:42:18Z

57

PDO offers an alternative designed to replace mysql_escape_string() with the PDO::quote() method.

Here is an excerpt from the PHP website:

<?php
    $conn = new PDO('sqlite:/home/lynn/music.sql3');

    /* Simple string */
    $string = 'Nice';
    print "Unquoted string: $string\n";
    print "Quoted string: " . $conn->quote($string) . "\n";
?>

The above code will output:

Unquoted string: Nice
Quoted string: 'Nice'

edited Nov 17, 2023 at 20:42

CommunityBot

11 silver badge

answered Nov 29, 2013 at 23:04

PowerAktar

2,3801 gold badge21 silver badges19 bronze badges

14

I am currently in the process of migrating old code to use PDO and while the solution is a good one, people need to be aware of the fact that it will place quotes around the string. So if people are building out queries that already have quotes like "SELECT * FROM users WHERE username = '".$conn->quote($username)."'";, the queries will inevitably fail.
– user1669496
Commented Jun 11, 2014 at 18:05
19

The accepted answer might be the recommended way, and the best practice, but this answer is the correct answer to the actual question. sometimes you actually need the old mysql_escape_string function, for instance if you are building a file to be executed later. you cant do that with a prepared statement.
– Brent Larsen
Commented Mar 20, 2015 at 1:32
Also prepared statements might impose a performance penalty if executed only once.
– Eli Algranti
Commented Nov 12, 2020 at 5:56

Add a comment |

Peter Mortensen · Accepted Answer · 2017-08-28 21:19:25Z

7

Use prepared statements. Those keep the data and syntax apart, which removes the need for escaping MySQL data. See e.g. this tutorial.

edited Aug 28, 2017 at 21:19

Peter Mortensen

31.3k22 gold badges109 silver badges132 bronze badges

answered Sep 15, 2010 at 9:37

Piskvor left the building

92.3k46 gold badges178 silver badges224 bronze badges

Piskvor, thanks. I'm already using them just not where I'm getting the errors. I just was wondering if prepare really stops injection attacks. I've heard to the contrary and there seems to be a a lot of debate over it.
– John
Commented Sep 15, 2010 at 9:43
1

@John: Yes, prepared statements will stop SQL injection attacks. (Of course, SQL injections are just one possible attack vector, so preventing them is not a magic "poof-your-website-is-now-fully-secure" dust)
– Piskvor left the building
Commented Sep 15, 2010 at 10:13
1

@John there is not a single debate. Actually it's only you who debate it.
– Your Common Sense
Commented Sep 15, 2010 at 10:20
@Javi Ps: Yes. And...?
– Piskvor left the building
Commented Jan 5, 2016 at 11:48
1

Prepared statements don't protect against all types of SQL injection, e.g. if you use dynamic table names. See my comment on the accepted answer for more details.
– HappyDog
Commented Aug 8, 2017 at 15:25

| Show 4 more comments

Collectives™ on Stack Overflow

Real escape string and PDO [duplicate]

3 Answers 3

Not the answer you're looking for? Browse other questions tagged
php
mysql
pdo
or ask your own question.

Linked

Hot Network Questions

Collectives™ on Stack Overflow

3 Answers 3

Not the answer you're looking for? Browse other questions tagged phpmysqlpdo or ask your own question.

Linked

Related

Not the answer you're looking for? Browse other questions tagged
php
mysql
pdo
or ask your own question.