stackoom
  简体   繁体   中英

mysql_real_escape_string with PDO PHP

 原文  2012-05-25 07:36:15       php/ mysql/ pdo

Question

Hello i am new to PDO so getting confused and getting errors ;) with mysql_real_escape_string ..

can any one help, here is my code 

if(!empty($_POST) && isset($_POST)) { 

include ('connection_pdo.php');

$dbh = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);

$source_url= mysql_real_escape_string($_POST['source_url']);
$class     = mysql_real_escape_string($_POST['class']);
$year      = mysql_real_escape_string($_POST['year']);
$date      = time();
$ip        = $_SERVER['REMOTE_ADDR'];

$insert = $dbh->prepare("
  INSERT IGNORE INTO school_students_images
            ( folder_name,  image_url,  source_url,  class, year , date , ip )
    VALUES  (:folder_name, :image_url, :source_url, :class, :year, :date, :ip)
");

$a=0;
while ($a<1000){
$a++;
$insert->execute(array(
            'folder_name'=> $name->content, //** geting from other source
            'image_url'  => $link[$a], //** geting from other source
            'source_url' => $source_url,
            'class'      => $class ,
            'year'       => $year ,
            'date'       => $date,
            'ip'         => $ip
            ));
}

it not working getting error but if i am using it with-out 

    $source_url= ($_POST['source_url']);
    $class     = ($_POST['class']);
    $year      = ($_POST['year']);
    $date      = time();
    $ip        = $_SERVER['REMOTE_ADDR'];

it is working ... so i am confused is it safe to POST without mysql_real_escape_string into database? (is PDO giving any security by default ?) or i am doing some mistake in this... please help

3 answers

solution1
 10 ACCPTED  2012-05-25 07:38:53

Yes, PDO automatically escapes your data, so you don't need to use mysql_real_escape_string . See here , for example.

solution2
 4  2012-05-25 07:39:32

mysql_real_escape_string requires an active mysql connection made through a mysql_connect call previously... So yes, it won't work.

PDO does that automatically for you anyway

solution3
 2  2012-05-25 07:39:30

With prepared statements you don't have to escape your variables. The driver will do it for you automatically, depending on the database you are using underneath. Actually you mustn't escape it yourself, since this will double escape it.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question php input test / mysql_real_escape_string / pdo Problem with PHP mysql_real_escape_string PHP mysql_real_escape_string() and % character Php, undo mysql_real_escape_string Is there PHP mysql_real_escape_string for postgresql? What is the PDO equivalent of function mysql_real_escape_string? PDO without mysql_real_escape_string and bindValue mysql_real_escape_string and PDO no connection in mvc pattern Using mysql_real_escape_string with PDO (no connection to localhost server) PHP changing from mysql_real_escape_string to PDO prepared statements
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM