Prepared Statement + mysqli_real_escape_string?

DoubleDee · August 15, 2011, 2:57am

Is there a way to use mysqli_real_escape_string so that I can effectively escape single and double quotes from a data entry form before being inserted into MySQL, PLUS get the added benefits of a Prepared Statement?

Debbie

Wuiqed · August 15, 2011, 11:00pm

There’s no need for the mysql escape function when you’re using prepared statements.

oddz · August 15, 2011, 11:11pm

yeah… if your using that function with prepared statements where there should be a separation between SQL and user controlled data your not doing things correctly.

DoubleDee · August 16, 2011, 3:27am

If I wanted to insert this into MySQL…

Debbie’s ride to work was late today, so she grabbed the bus.
It turns out the problem was that Mike’s car had a flat tire.

How would a Prepared Statement handle the single quotes?

Without escape characters it would break.

With mysqli_real_escape_string it would be fine.

Debbie

logic_earth · August 16, 2011, 6:44am

Prepared Statements does not need to handle the single quotes. The SQL query and the data never mix. They are handled independently of one another. Understand, escape_string escapes those things that have meaning in an SQL query, however, if the data is never part of an SQL query it doesn’t need to escape those.

You do not use escape_string with prepared statements.

DoubleDee · August 16, 2011, 11:58pm

So for my needs, I don’t need to use Prepared Statements, but I will need mysqli_real_escape_string to escape ’ and " in my HTML markup, right?

Debbie

cranial_bore · August 17, 2011, 1:58am

mysqli_real_escape_string gives a hint about it’s purpose with the first word of the function name (it for MySQL, not HTML).

It’ll escape ’ into \’ which is still going to look like \’ in your HTML.
It should become & #039; Use [fphp]htmlentities[/fphp]

TheRedDevil · August 17, 2011, 1:18pm

A prepared statement will automatically do a normal SQL comment of single quotes (if you tell the engine you use double quotes instead of single quotes for strings, it will do the same with those etc).

If you take a look on the example below, this is how your string would look “internally” after you bind it to the prepared statement. It will add enclosed single quotes since you tell its a string, and any single quotes inside the string will get one more appended to it.

However when the insert is completed, it would look exactly the same as the string you originally had.

Example:
‘Debbie’‘s ride to work was late today, so she grabbed the bus.’