Jump to content
Larry Ullman's Book Forums

Difference Between Mysqli_Real_Escape_String And Escape_Data()


Recommended Posts

If you look at the code, you'll see that escape_data() wraps mysqli_real_escape_string() and that it also: 1) removes slashes if Magic Quotes is enabled, and, 2) trims strings (I think). You would use escape_data() if you wanted that functionality all the time, or use a modified version if there's other functionality you want on all values used in queries. 

Link to comment
Share on other sites

  • 6 years later...

Hi Larry,

Not sure if you are still running these forums...  I gotta say this book allowed me to start a business with no limits and for that I am very grateful.  I wish you could teach me more.

I'm currently getting PHP error log messages related to the function escape_data() part of the code - due to deprecation in the newer versions of PHP.  All of my code is written using procedural code.  So without changing hundreds of files to prepared statements, how would you replace the escape_data() portion of code to keep input data safe?  I am filtering all data using unique regex for each input and, of course, the escape data() function.  So how do we replace the escape_data() function?

// Check for a first name:
  if ( !empty($_POST['contact_us_first_name'] ) && preg_match( '/^[A-Z \'.-]{2,20}$/i', $_POST['contact_us_first_name'] ) ) {
    $contact_fname = escape_data( $_POST[ 'contact_us_first_name' ], $dbc );
  } else {
    $errors_array['contact_us_first_name'] = 'Please enter your first name!';
  }

  // Check for a last name:
  if ( !empty( $_POST[ 'contact_us_last_name' ] ) && preg_match( '/^[A-Z \'.-]{2,40}$/i', $_POST[ 'contact_us_last_name' ] ) ) {
    $contact_lname = escape_data( $_POST[ 'contact_us_last_name' ], $dbc );
  } else {
    $errors_array[ 'contact_us_last_name' ] = 'Please enter your last name!';
  }

Link to comment
Share on other sites

Thanks for the nice words! I truly appreciate it. Yes, I'm still running these forums for a while longer...

As for your question, what is the specific version of PHP you're using and what is the error message that comes from the escape_data() function usage? 

Link to comment
Share on other sites

  • 2 weeks later...
On 1/27/2022 at 10:40 PM, Larry said:

Thanks for the nice words! I truly appreciate it. Yes, I'm still running these forums for a while longer...

As for your question, what is the specific version of PHP you're using and what is the error message that comes from the escape_data() function usage? 

An error occurred in script '/home/XXXXX/XXXXX.com/includes/config.inc.php' on line 101:
Function get_magic_quotes_gpc() is deprecated

I use DreamHost and they are now suggesting running PHP 7.4.

According to this post on stackoverflow, we don't need to sanitize input:

https://stackoverflow.com/questions/61054418/php-7-4-deprecated-get-magic-quotes-gpc-function-alternative/61260285

So how should the following code be updated?

function escape_data($data, $db) {
    if(get_magic_quotes_gpc()) {
        $data = stripslashes($data);
    }
    return mysqli_real_escape_string($db, trim($data));
}

Link to comment
Share on other sites

Ah, okay, thanks for the additional context. You should be able to update the code by just removing these three lines:

    if(get_magic_quotes_gpc()) {
        $data = stripslashes($data);
    }

To be clear about that StackOverflow post, you don't need to sanitize input if you're using prepared statements. Since you're not using prepared statements here, failing to use mysqli_real_escape_string() will cause your query to break. 

Link to comment
Share on other sites

Sure, sure! So, simply put, if there's a problematic character in a value that could break syntax of the SQL query when you go to run it. For example, say a person's last name is O'Brien, then this query:

INSERT INTO people (last_name) VALUES ('$last_name')

becomes

INSERT INTO people (last_name) VALUES ('O'Brien')

That query won't run in the database because of a syntax error.

To prevent this problem, PHP developed this thing called Magic Quotes, which automatically escaped problematic characters. But the mysqli_real_escape_string() function actually does a better job of that, as it'll have database-specific results. So what this escape_data() function did was run data through mysqli_real_escape_string(). However, if Magic Quotes was on, that'd result in a value being overly escaped, so that's what the IF clause was addressing. 

Link to comment
Share on other sites

 Share

×
×
  • Create New...