----- Original Message ---- > From: Dotan Cohen <dotanco...@gmail.com> > To: Tommy Pham <tommy...@yahoo.com> > Cc: php-general. <php-general@lists.php.net> > Sent: Sat, October 17, 2009 10:59:52 AM > Subject: Re: [PHP] Sanitizing potential MySQL strings with no database > connection > > > I don't think so since the mysql_real_escape_string() requires a connection > handler. Why not use bind param? > > > > Thanks. I just googled bind param but I am still a bit unclear as to > what is going on. > > To be clear, I have a file of functions that I use in many scripts, > lets call it functions.inc. One of the functions calls > mysql_real_escape_string() but in order to do that it looks like I > have to connect to a database. However, different scripts connect to > different databases, and some do not connect to a database at all, so > I cannot simple connect to a database from the functions.inc file as > that will interfere with the database connections going on in the > scripts including that file. > > -- > Dotan Cohen > > http://what-is-what.com > http://gibberish.co.il > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php
I assumed the reason you wanted to do escape the string so that you could perform DB operations. In your select/insert/update class(es)/function(s), you could just use prepare statement and bind param. Thus, no need to escape the string to protect against injection. It's also faster if by chance you're doing several updates/inserts due to the nature of prepare statement. You could use a call back function in case you have a varying size array of parameters, making your code more adaptable and somewhat smaller. I generally prefer using prepare statement + bind param over escape string + query for speed and flexibility. http://www.php.net/manual/en/mysqli.prepare.php http://www.php.net/manual/en/mysqli-stmt.bind-param.php have good examples. Regards, Tommy -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
