grahamgr3 Posted June 17, 2015 Share Posted June 17, 2015 What is the difference between mysqli_real_escape_string and escape_data(). When should we use escape_data() as opposed to mysqli_real_escape_string. Link to comment Share on other sites More sharing options...
Larry Posted June 17, 2015 Share Posted June 17, 2015 If you look at the code, you'll see that escape_data() wraps mysqli_real_escape_string() and that it also: 1) removes slashes if Magic Quotes is enabled, and, 2) trims strings (I think). You would use escape_data() if you wanted that functionality all the time, or use a modified version if there's other functionality you want on all values used in queries. Link to comment Share on other sites More sharing options...
mmichals Posted January 23, 2022 Share Posted January 23, 2022 Hi Larry, Not sure if you are still running these forums... I gotta say this book allowed me to start a business with no limits and for that I am very grateful. I wish you could teach me more. I'm currently getting PHP error log messages related to the function escape_data() part of the code - due to deprecation in the newer versions of PHP. All of my code is written using procedural code. So without changing hundreds of files to prepared statements, how would you replace the escape_data() portion of code to keep input data safe? I am filtering all data using unique regex for each input and, of course, the escape data() function. So how do we replace the escape_data() function? // Check for a first name: if ( !empty($_POST['contact_us_first_name'] ) && preg_match( '/^[A-Z \'.-]{2,20}$/i', $_POST['contact_us_first_name'] ) ) { $contact_fname = escape_data( $_POST[ 'contact_us_first_name' ], $dbc ); } else { $errors_array['contact_us_first_name'] = 'Please enter your first name!'; } // Check for a last name: if ( !empty( $_POST[ 'contact_us_last_name' ] ) && preg_match( '/^[A-Z \'.-]{2,40}$/i', $_POST[ 'contact_us_last_name' ] ) ) { $contact_lname = escape_data( $_POST[ 'contact_us_last_name' ], $dbc ); } else { $errors_array[ 'contact_us_last_name' ] = 'Please enter your last name!'; } Link to comment Share on other sites More sharing options...
Larry Posted January 28, 2022 Share Posted January 28, 2022 Thanks for the nice words! I truly appreciate it. Yes, I'm still running these forums for a while longer... As for your question, what is the specific version of PHP you're using and what is the error message that comes from the escape_data() function usage? Link to comment Share on other sites More sharing options...
mmichals Posted February 6, 2022 Share Posted February 6, 2022 On 1/27/2022 at 10:40 PM, Larry said: Thanks for the nice words! I truly appreciate it. Yes, I'm still running these forums for a while longer... As for your question, what is the specific version of PHP you're using and what is the error message that comes from the escape_data() function usage? An error occurred in script '/home/XXXXX/XXXXX.com/includes/config.inc.php' on line 101: Function get_magic_quotes_gpc() is deprecated I use DreamHost and they are now suggesting running PHP 7.4. According to this post on stackoverflow, we don't need to sanitize input: https://stackoverflow.com/questions/61054418/php-7-4-deprecated-get-magic-quotes-gpc-function-alternative/61260285 So how should the following code be updated? function escape_data($data, $db) { if(get_magic_quotes_gpc()) { $data = stripslashes($data); } return mysqli_real_escape_string($db, trim($data)); } Link to comment Share on other sites More sharing options...
Larry Posted February 8, 2022 Share Posted February 8, 2022 Ah, okay, thanks for the additional context. You should be able to update the code by just removing these three lines: if(get_magic_quotes_gpc()) { $data = stripslashes($data); } To be clear about that StackOverflow post, you don't need to sanitize input if you're using prepared statements. Since you're not using prepared statements here, failing to use mysqli_real_escape_string() will cause your query to break. Link to comment Share on other sites More sharing options...
mmichals Posted February 8, 2022 Share Posted February 8, 2022 Can you please explain what you mean when you say "failing to use mysqli_real_escape_string() will cause your query to break"? Link to comment Share on other sites More sharing options...
Larry Posted February 10, 2022 Share Posted February 10, 2022 Sure, sure! So, simply put, if there's a problematic character in a value that could break syntax of the SQL query when you go to run it. For example, say a person's last name is O'Brien, then this query: INSERT INTO people (last_name) VALUES ('$last_name') becomes INSERT INTO people (last_name) VALUES ('O'Brien') That query won't run in the database because of a syntax error. To prevent this problem, PHP developed this thing called Magic Quotes, which automatically escaped problematic characters. But the mysqli_real_escape_string() function actually does a better job of that, as it'll have database-specific results. So what this escape_data() function did was run data through mysqli_real_escape_string(). However, if Magic Quotes was on, that'd result in a value being overly escaped, so that's what the IF clause was addressing. Link to comment Share on other sites More sharing options...
Recommended Posts