Reputation: 8224
PHP mysqli_real_escape_string argument
I am not asking how to use the function.
I know what the function mysqli_real_escape_string is about or how to use it, but I want to ask, why does its first argument require a reference to a mysqli connection?
Here are some guesses, but I don't know if I guessed correctly:
- Does the function trigger any calls to the database connection such that it requires a connection to escape the string with?
- Is this some technical constraint in the PHP implementation?
- Or any other reasons?
This problem is troubling me because I have multithreading in my software, and I have a function that accepts a string query as parameter and pushes the query to another thread to execute, so I can't get an instance of MySQLi to escape strings in my query with.
Upvotes: 1
Views: 460
Answers (2)
Reputation: 102
Alternative to mysql_real_escape_string without connecting to DB
This basically explains why. The has to know what char set the MySQL connection uses. If you don't, multi-byte SQL injections may be possible, depending on your code. Anyways, you are required to use a MySQL instance unless you write your own function.
Upvotes: 1
Reputation: 3579
From http://php.net/manual/de/mysqli.real-escape-string.php : mysqli::real_escape_string -- mysqli_real_escape_string — Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection
so in short: the function has to know what charset your connection uses.
Upvotes: 2
Related Questions
- Deleting an element from an array in PHP
- How can I prevent SQL injection in PHP?
- How do you parse and process HTML/XML in PHP?
- How do I make a redirect in PHP?
- Reference Guide: What does this symbol mean in PHP? (PHP Syntax)
- startsWith() and endsWith() functions in PHP
- How does PHP 'foreach' actually work?
- Enumerations on PHP
- How do I get PHP errors to display?
- Why shouldn't I use mysql_* functions in PHP?