Home/ Questions/Q 7018943
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T23:07:03+00:00

I’m using mysqli extension in php for connection to database. I’ve such a simple

  • 0

I’m using mysqli extension in php for connection to database. I’ve such a simple question. Is it better to use mysqli instead of mysql and why is it necessary to use mysqli_real_escape_string ? what is this function doing exactly ? Thanks …

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I’ll put a little example not using SQL. Imagine you have this PHP code:

    <?php
echo 'Hello, world!';

    Now you want to replace world with O'Hara:

    <?php
echo 'Hello, O'Hara!'; // Parse error: syntax error, unexpected T_STRING, expecting ',' or ';'

    Yeah, of course, that is not valid PHP. You need to escape the single quote since it’s interpreted as a literal quote rather than the string delimiter:

    <?php
echo 'Hello, O\'Hara!';

    You have exactly the same problem when composing SQL queries. If you inject random input into your code, sooner or later it’ll break. You need to encode input so it’s handled as literal input rather than broken code.

    How can you do that? Well, MySQL accepts \' just like PHP (though it’s only a coincidence: other database engines use other escape methods). So the dumbest solution is to add back slashes here and here:

    SELECT id FROM user WHERE name='O\'Hara';

    Of course, it’s a lot of work to hard-code all the possible characters that need escaping (and you’ll probably forget some of them) so you can use a function that does the job for you: either mysql_real_escape_string() or mysqli_real_escape_string().

    The question is: is this good enough? Well, it kind of works, but it leads to annoying code that’s difficult to maintain:

    $sql = "UPDATE user SET name='" . mysql_real_escape_string($name) . "' WHERE id='" . mysql_real_escape_string($id) . "'";

    … and you still need to take care of surrounding the complete value with single quotes… which are not always mandatory (think of numbers)… What a mess. Can’t someone invent something better? Good news is: they did! It’s called prepared statements:

    // Just an example, I invented the syntax
$sql = 'UPDATE user SET name=:name WHERE id=:id';
$params = array(
    'name' => "O'Brian",
    'id' => 31416,
);
$MyDbConnection->execute($sql, $params);

    In real life:

    • MySQLi has the prepare() method to accomplish this. Find some examples there.
    • Legacy MySQL extension… has nothing: it does not support prepared statements at all! If you use this extension, you are stuck with the annoying add-quotes-yourself and string concatenation methods.

    I hope this explains the whole question.

    • 0