Using mysqli_real_escape_string()

I am learning PHP and I have a script I am working on. Basically the script uses prepValue but I want to use mysqli_real_escape_string to prevent most malicious SQL inserts. When I replace $email = prepValue($_POST['email']); with $email = mysqli_real_escape_string($_POST['email']); a blank value posts to the db. So how can I use mysqli_real_escape_string and if needed prepValue(). Thanks

According to the documentation at http://php.net/manual/en/mysqli.real-escape-string.php if you use the function in the procedural style above, the first parameter is the link to your database connection, and from what I read if you leave it blank, it returns a blank string.

why do that instead of using prepare/bind to prevent ALL malicious SQL inserts (since the SQL goes in the prepare statement and the data in the bind statement making it completely impossible for the data to be misinterpreted as SQL.

Exactly I don’t know why anyone does this any longer. Points to the OP for at least knowing to escape values put in queries but doing prepared statements eliminates the need all together and the capability to do that has been around for a very long time.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.