Call to undefined method PDO::real_escape_string()

Question

I want to insert data to MS access database using php and angular js My Angular JS Code Following

var app=angular.module('cardupdate',[]);
app.controller('cardContl',function($scope,$http){
    $scope.insertCardInfo=function(){
        $http.post("insert.php",{'name':$scope.name,'email':$scope.email})
                .success(function(){
                    $scope.msg="data inserted success";
                });
        };
});

and insert.php code following

$dbName =$_SERVER["DOCUMENT_ROOT"] . "/name/test.mdb";
if (!file_exists($dbName)) {
    die("Could not find database file.");
}
$db = new PDO("odbc:DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=$dbName; Uid=; Pwd=;");
$connstr = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=$dbName;";
$conn_access = odbc_connect($connstr, "", "");

$data=json_decode(file_get_contents("php://input"));
$name=$db->real_escape_string($data->name);
$email=$db->real_escape_string($data->email);
$q="insert into Table1 values(1,'$name','$email')";
odbc_exec($conn_access, $q);

i am getting following error :

Fatal error: Call to undefined method PDO::real_escape_string() in C:\\xampp\\htdocs\\name\\insert.php on line 14

Answer 1

The function you are attempting to use doesn't exist hence the error. What you are looking for is PDO's alternative (albeit lesser known) known as PDO::quote .

However be warned:

If you are using this function to build SQL statements, you are strongly recommended to use PDO::prepare() to prepare SQL statements with bound parameters instead of using PDO::quote() to interpolate user input into an SQL statement. Prepared statements with bound parameters are not only more portable, more convenient, immune to SQL injection, but are often much faster to execute than interpolated queries, as both the server and client side can cache a compiled form of the query.

So you'd rather use prepared statements and avoid the whole escaping process.