Real escape string and PDO [duplicate]

mysql php pdo

I'm using PDO after migrating away from the mysql library. What do I use in place of the old real_escape_string function?

I need to escape single quotes so they will go into my database and I think there may be a better way to handle this without add(ing) slashes to all my strings. What should I be using?


Solution 1:

You should use PDO Prepare

From the link:

Calling PDO::prepare() and PDOStatement::execute() for statements that will be issued multiple times with different parameter values optimizes the performance of your application by allowing the driver to negotiate client and/or server side caching of the query plan and meta information, and helps to prevent SQL injection attacks by eliminating the need to manually quote the parameters.

Solution 2:

PDO offers an alternative designed to replace mysql_escape_string() with the PDO::quote() method.

Here is an excerpt from the PHP website:

<?php
    $conn = new PDO('sqlite:/home/lynn/music.sql3');

    /* Simple string */
    $string = 'Nice';
    print "Unquoted string: $string\n";
    print "Quoted string: " . $conn->quote($string) . "\n";
?>

The above code will output:

Unquoted string: Nice
Quoted string: 'Nice'

Related

What do <o:p> elements do anyway?
How to pass a datetime parameter?
ECMAScript 6 class destructor
Fragment onCreateView and onActivityCreated called twice
Step by step interactive debugger for Rust?
Ninject vs Unity for DI [closed]
Android Room: Insert relation entities using Room
Is there a way to exclude a Maven dependency globally?
Mocking objects with Moq when constructor has parameters
Convert PDF to PNG using ImageMagick
what is difference between success and .done() method of $.ajax
Sass or Compass without ruby?