Menu
I am using PHP version 5.3 and trying to use mysql_real_escape_string($unescaped_string) in my code, but I get the error:
Fatal error: Call to undefined function mysql_real_escape_string()
in /var/www/engine/database.php on line 38
I can still connect to the database however. Why is it not available?
I am using PHP version 5.3.
733
This extension was deprecated in PHP 5.5. 0, and it was removed in PHP 7.0.
The real_escape_string() / mysqli_real_escape_string() function escapes special characters in a string for use in an SQL query, taking into account the current character set of the connection.
mysql_real_escape_string() and prepared statements need a connection to the database so that they can escape the string using the appropriate character set - otherwise SQL injection attacks are still possible using multi-byte characters.
mysql_real_escape_string is safe to use if used properly (ie, everywhere you're inserting PHP variables into your queries), but as has been pointed out in the comments it's not the only thing you need to worry about. For example, HTML markup could be inserted into your DB and used for Cross Site Scripting attacks.
Update as mentioned in comment, mysql_ has been deprecated since 5.5:
The mysql extension has been deprecated since PHP 5.5. The mysqli or PDO extension should be used instead. The deprecation has been decided in mysql_deprecation, where a discussion of the reasons behind this decision can be found.
and removed in PHP 7.
mysql_real_escape_string() is standard part of MySQL function "batch" and should always work if the extension is loaded correctly.
Does any another mysql_ function work? (It should not)
Make sure, that you have this line uncommented in your php.ini:
extension=mysql.so
Also it'd be wise to use mysqli or PDO instead (mysql_ is deprecated), they both can take care of escaping for you.
181
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
