CODEWITHSUNDEEP
phpmysqlpdo
Harinder
Harinder

Reputation: 1257

mysql_real_escape_string with PDO PHP

Hello i am new to PDO so getting confused and getting errors ;) with mysql_real_escape_string ..

can any one help, here is my code 

if(!empty($_POST) && isset($_POST)) { 

include ('connection_pdo.php');

$dbh = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);

$source_url= mysql_real_escape_string($_POST['source_url']);
$class     = mysql_real_escape_string($_POST['class']);
$year      = mysql_real_escape_string($_POST['year']);
$date      = time();
$ip        = $_SERVER['REMOTE_ADDR'];

$insert = $dbh->prepare("
  INSERT IGNORE INTO school_students_images
            ( folder_name,  image_url,  source_url,  class, year , date , ip )
    VALUES  (:folder_name, :image_url, :source_url, :class, :year, :date, :ip)
");

$a=0;
while ($a<1000){
$a++;
$insert->execute(array(
            'folder_name'=> $name->content, //** geting from other source
            'image_url'  => $link[$a], //** geting from other source
            'source_url' => $source_url,
            'class'      => $class ,
            'year'       => $year ,
            'date'       => $date,
            'ip'         => $ip
            ));
}

it not working getting error but if i am using it with-out 

    $source_url= ($_POST['source_url']);
    $class     = ($_POST['class']);
    $year      = ($_POST['year']);
    $date      = time();
    $ip        = $_SERVER['REMOTE_ADDR'];

it is working ... so i am confused is it safe to POST without mysql_real_escape_string into database? (is PDO giving any security by default ?) or i am doing some mistake in this... please help

Upvotes: 1

Views: 16526

Answers (3)

Andreas Wong
Andreas Wong

Reputation: 60516

mysql_real_escape_string requires an active mysql connection made through a mysql_connect call previously... So yes, it won't work.

PDO does that automatically for you anyway

Upvotes: 4

sivann
sivann

Reputation: 2131

With prepared statements you don't have to escape your variables. The driver will do it for you automatically, depending on the database you are using underneath. Actually you mustn't escape it yourself, since this will double escape it.

Upvotes: 2

Daan
Daan

Reputation: 3348

Yes, PDO automatically escapes your data, so you don't need to use mysql_real_escape_string. See here, for example.

Upvotes: 11

Related Questions