mysqli_real_escape_string vs. mysql_real_escape_string

samuelcook

I based my entire experience of database entries based on these differences. Thoughts? And differences?

laserlight

The one to use depends on whether you are using the MySQLi extension or the MySQL extension.

samuelcook

clearly.

My thought is that I still continue to see people using mysql for db entries, but the mere fact of mysqli_real_escape_string is so much easier than the sprintf of mysql. And I'm just wondering why. Mysqli has been out for years now.

laserlight

You would need to use sprintf or string concatenation whether you use mysqli_real_escape_string or mysql_real_escape_string. Perhaps your question is really not about these two functions but about MySQLi versus MySQL extensions, in which case prepared statements with MySQLi comes into play. I would then say that the reason why the MySQL extension is still used is because of a resistance to change (which may be sensible: it ain't broken, why fix it?) and because newcomers to PHP still read books in which the MySQL extension is demonstrated.

Derokorian

As laserlight said, even with sprintf you should still be using *_real_escape_string IE:

// My preferred style
$db = new mysqli;
$sql = sprintf("INSERT INTO table (id,name,email,comment) VALUES (NULL,'%s','%s','%s')",
   $db->real_escape_string($name),
   $db->real_escape_string($email),
   $db->real_escape_string($comment) );

// procedural mysqli
$db = new mysqli;
$sql = sprintf("INSERT INTO table (id,name,email,comment) VALUES (NULL,'%s','%s','%s')",
   mysqli_real_escape_string($db,$name),
   mysqli_real_escape_string($db,$email),
   mysqli_real_escape_string($db,$comment) );

// mysql
$conn = mysql_connect();
$sql = sprintf("INSERT INTO table (id,name,email,comment) VALUES (NULL,'%s','%s','%s')",
   mysql_real_escape_string($name,$conn),
   mysql_real_escape_string($email,$conn),
   mysql_real_escape_string($comment,$conn) );