Menu
i have read countless articles but was wondering if someone could explain the difference to me in laymans terms? i know they both protect against sql injection and are for security. but if im using mysqli to run a query , or the old fashioned way of my_sql_query, does it really matter which one i use? are not they both wrappers anyway for the sql function?
why does the below code not work?
$test="hello, 'there";
$db->real_escape_string($test);
$db->query("INSERT INTO users (first_name) VALUES ('$test')");
732
They take into account the current charset of the connection, so they need to be able to access the connection, so you have to use the one for the library you opened the connection with.
They should generally be avoided in favour of prepared statements though.
why does the below code not work?
$test="hello, 'there";
$db->query("INSERT INTO users (first_name) VALUES ('$test')",
mysqli_real_escape_string($test));
You may have other issues but:
$test after you've injected it into the SQLThis should go before you construct your string of SQL:
$test = mysqli_real_escape_string($link, $test);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
