According to PHP.net that is

greg — Wed, 23 Apr 2008 22:56:09 +0000

According to PHP.net that is depreciated, and does not escape % and _.

Besides, if you are using mysql_real_escape you are doing a database query, and if you are doing a database query you have a connection.

The three are a package, and without a DB connection and a query, the escape is pointless.
And they will work on and update the real_escape, as the other one is depreciated it wont receive improvements.

Also, I think the fact it escapes the string according to the database's current character set makes it more robust and less likely to give an error.

php.net wrote:
mysql_escape_string() does not take a connection argument and does not respect the current charset setting.

This function became deprecated, do not use this function. Instead, use mysql_real_escape_string().

So in my opinion you should use real_escape.

If you want to escape the

pr0gr4mm3r — Tue, 22 Apr 2008 18:02:46 +0000

If you want to escape the string before connecting to the database, you can use mysql_escape_string(). This function is probably safe to use as long as your database doesn't use some funky charset.

See this thread for more info.

Glad to help. One other

greg — Sun, 20 Apr 2008 18:01:45 +0000

Glad to help.

One other thing I will mention, a lesson I learned recently.
The mysql_real_escape_string() function needs a database connection FIRST to actually work.
Something about it using the database char set for it's escape parameters (something like that).

So have the mysql_connect() and mysql_select_db() before you escape the strings. I found it returns an error if you don't, and as with all PHP errors it halts the PHP script completely so stops the page working/loading.

That's a great explanation

drew22299 — Sun, 20 Apr 2008 16:50:08 +0000

That's a great explanation as always, thanks

If you used

greg — Sun, 20 Apr 2008 03:43:02 +0000

If you used mysql_real_escape_string on any variables you run through the query then you don't really need to check it.
That function will "escape" certain chars in a string like ' " etc so they are read as text only.
So regardless of what a user types in an input box where that input data is stored in a variable and used in a query, it will only ever be used as text, so it can't change your query.

So if a user enters into an input field ' OR '1=1' , instead of it changing your query to - where username = '' OR '1=1'
The actual string will contain the TEXT - '' OR 1=1''
So it is now looking for a user called by the name: '' OR 1=1''
("single quote space OR 1 = 1 single quote)

I suppose you could test it by entering that data into your DB as a username to test see if it does find a username by that name. If it finds a user called: '' OR 1=1'' then you know it works fine.

You could also test it by trying to change the query yourself to look for something you know exists.

So if you have a username in the DB called "drew", type this in your input box
' OR 'drew'
It shouldnt work if you escaped the string first, as it will be looking for a username called: ' OR 'drew'
(single quote OR single quote drew single quote)

I never really test that far as I put all vars that go through the query through real_escape_string first, I just trust it as I know how escaping chars in PHP works.

This might help you
http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

And lots of other info
http://www.securiteam.com/securityreviews/5DP0N1P76E.html