Jump to content
Larry Ullman's Book Forums

Not Urgent: Escape_Data() V. $Mysqli->Real_Escape_String()

Recommended Posts

Hi Larry (and all).


I had a problem on my VPS that forced me to look a bit more closely at cleaning strings before writing them to MySQL.  


So this got me to wonder:  What is the difference between escape_data() and $mysqli->real_escape_string()?


Larry uses functions like this one during the login process:


 $fn = escape_data($_POST['first_name'], $dbc);


Other authors suggest functions like this one: 

$fn = $mysqli->real_escape_string($_POST['first_name']);


Can someone explain the difference between them (and which one is "preferred")? 

Share this post

Link to post
Share on other sites



escape_data() is a function that you define in one of your scripts. I have seen various versions of this function but my understanding is that the function tests which environment you are running in and then applies the appropriate PHP escape_data_string function to the data. 


So one is a function you define, the other is a standard PHP function (or method in your case above).


Please correct me if my understanding is not correct.


Cheers from Oz.

  • Upvote 1

Share this post

Link to post
Share on other sites

Yep, that's exactly correct (and thanks). escape_data() at its heart calls mysqli_real_escape_string(). But it may apply stripeslashes() first, depending upon your PHP settings. 

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...