Since there are very rare encodings supported by mysql in which mysql_escape_string allows SQL injection, but mysql_real_escape_string () will not.
However, as long as your encoding is either single-byte or UTF-8, there is no harm from mysql_escape_string () everywhere, and you can use it without fear.
On the other hand, it should be noted that in fact mysql_real_escape_string() will not do anything good if used alone.
It will work as desired only if the mysql driver encoding has been set using the mysql_set_charset() function (or using some mysql server setup).
Otherwise, it will act in exactly the same way as defamed mysql_escape_string ().
It should also be noted that, in fact, both of these functions are discouraged, mainly due to misuse.
And local people are actively promoting prepared PDO applications.
As you can still guess, the statements prepared by PDO will not do anything good if they are used on their own, out of the box. Some measures need to be taken.
Need either
- turn off emulation mode, which is enabled by default
- or set the mysql driver encoding for our old friend, while such an action is allowed only in DSN and is available only with 5.3.3.
or there will be no difference between PDO and mysql_escape_string in terms of action for some extremely rare encodings.
Your common sense
source share