0

So I'm trying to use this name = $con->real_escape_string($_POST['name']); with my code, and its not working. I get the error

Fatal error: Call to undefined method PDO::real_escape_string() in /Users/idrisk/Colourity/si/r.php on line 15` I'm not sure what that means. Here's the code I have so far. 

$username = "xxx"; $password = "xxx"; try { $con = new PDO('mysql:host=localhost;s=myDatabase', $username, $password); $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); }catch(PDOException $e) { echo 'ERROR: ' . $e->getMessage(); } $name = $con->real_escape_string($_POST['name']); $username = $con->real_escape_string($_POST['username']); $email = $con->real_escape_string($_POST['email']); $password1 = $con->real_escape_string($_POST['pass1']); $password2 = $con->real_escape_string($_POST['pass2']);

Any ideas?

Improve this question
8
  • 2
    PDO doesn't have a real_escape_string method. Bind the parameters instead. Commented Apr 21, 2014 at 0:55
  • What would that look like? @AmalMurali Commented Apr 21, 2014 at 0:56
  • 2
    phptherightway.com/#databases -- good start to learn about Commented Apr 21, 2014 at 0:58
  • @user3444414: Also, see: wiki.hashphp.org/PDO_Tutorial_for_MySQL_Developers Commented Apr 21, 2014 at 0:58
  • 1
    $_POST['foo'] is just another variable. It's not special. Just read the entire article, @user3444414. It's worth it. Commented Apr 21, 2014 at 1:05

1 Answer 1

Reset to default
1

PDO doesn't have a real_escape_string function, but it does have PDO::quote(). 

$name = $con->quote($_POST['name']);

PDO::quote() does one thing that mysqli::real_escape_string() doesn't do: it adds the quote marks around the resulting escaped string.

Example with mysqli:

$name = $mysqli->real_escape_string($_POST['name']); $sql = "SELECT * FROM table1 WHERE name = '$name'"; // use single-quotes

Example with PDO:

$name = $pdo->quote($_POST['name']); $sql = "SELECT * FROM table1 WHERE name = $name"; // don't use single-quotes

Anyway, as @AmalMurali commented above, it's better to use prepared statements and parameters. Here's an easy way to use prepare() and pass parameters to execute():

$sql = "INSERT INTO table1 VALUES (:name, :username, :email, :pass1)"; $params = array_intersect_key($_POST, array_flip(array('name', 'username', 'email', 'pass1'))); $stmt = $pdo->prepare($sql); $stmt->execute($params);

Parameters are better because they're just as safe for protecting against SQL injection, and they're easier to get right than the messy and error-prone escaping, quoting, and string-concatenation.

If you don't recognize some of those functions I showed, go read the docs:

Get used to reading documentation. Reading docs, reading other people's code, and experimentation is how most of us learned all this stuff.

There are even code examples in almost all of the PHP documentation pages.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

So basically $name = $_POST['name']; turns into $name = $pdo->quote($_POST['name']);? Or could i just use the prepared statement and parameters method instead?
use the prepared statement and parameters method instead is better and safer.
Right, use prepare() with parameters. You'll be glad you did.
But then how would I validate an email? (!filter_var(:email, FILTER_VALIDATE_EMAIL))?
That's a totally separate question from using variables safely in SQL. Search StackOverflow for "php validate email" and you'll find answers like this: stackoverflow.com/questions/5855811/… for an answer.
|