does Every single call to mysql_real_escape_string require another trip to the database?

Question

http://php.net/manual/en/function.mysql-real-escape-string.php:

mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

Ok, so basically if i ever do something like this:

mysql_query("insert T(C)select'".mysql_real_escape_string($value)."'")

I'm making 1 trip to the database for the mysql_real_escape_string function and another trip for the function mysql_query = 2 trips to the database?

Answer 1

The fact that it uses the mysql library does not mean it does a round trip with the server.

It runs code from the mysql client library, loaded in the same process as your php interpreter. You do need a connection though - that function needs to know some server settings to operate properly. But those settings are cached in the connection information on the PHP side.

If you want to verify this (and you're on linux), write a simple script like:

<?php
$link = mysql_connect('localhost', 'user', 'pass');
echo "Connection done\n";
echo mysql_real_escape_string("this ' is a test");
?>

And run it through strace:

$ strace php t.php
....            # here comes the connection to mysql, socket fd == 3
connect(3, {sa_family=AF_FILE, path="/var/run/mysqld/mysqld.sock"}, 110) = 0
fcntl(3, F_SETFL, O_RDWR)               = 0
setsockopt(3, SOL_SOCKET, SO_RCVTIMEO, "\2003\341\1\0\0\0\0\0\0\0\0\0\0\0\0", 16) = 0
....            # talking with mysql here
poll([{fd=3, events=POLLIN}], 1, 60000) = 1 ([{fd=3, revents=POLLIN}])
read(3, "8\0\0\0\n5.1.58-log\0\3\0\0\0K-?4'fL+\0\377\367!"..., 16384) = 60
...
read(3, "\7\0\0\2\0\0\0\2\0\0\0", 16384) = 11
                # first php echo
write(1, "Connection done\n", 16Connection done    )       = 16
                # second php echo
write(1, "this \\' is a test", 17this \' is a test)      = 17
munmap(0x7f62e187a000, 528384)          = 0
....

The only important thing there is that the two writes caused by the echo statements have no other syscall in between - no network communication is possible without a syscall (from userspace in linux anyway).