Are they both same? Thanks. $user = $_POST['user']; $user = mysql_real_escape_string($user); $result = mysql_fetch_array(mysql_query("SELECT * FROM accounts WHERE id='$user'")); vs $user = $_POST['user']; $result = mysql_fetch_array(mysql_query(sprintf("SELECT * FROM accounts WHERE id='%s'",mysql_real_escape_string($user))));

Reputation: 23

Are these mysql_real_escape_string usages same?

Are they both same? Thanks.

$user = $_POST['user'];
$user = mysql_real_escape_string($user);
$result = mysql_fetch_array(mysql_query("SELECT * FROM accounts WHERE id='$user'"));

$user = $_POST['user'];
$result = mysql_fetch_array(mysql_query(sprintf("SELECT * FROM accounts WHERE id='%s'",mysql_real_escape_string($user))));

Upvotes: 2

Answers (3)

Sonny

Reputation: 8336

Yes, that is equivalent.

You can verify it like this:

$user = $_POST['user'];
$user = mysql_real_escape_string($user);
echo "SELECT * FROM accounts WHERE id='$user'";

-vs-

$user = $_POST['user'];
echo sprintf("SELECT * FROM accounts WHERE id='%s'", mysql_real_escape_string($user));

Upvotes: 3

netcoder

Reputation: 67715

Yes they're equivalent. Usually though, you will use sprintf to make the code easier to read, and the query easier to modify:

$user = $_POST['user'];
$sql = sprintf("SELECT * FROM accounts WHERE id='%s'", 
    mysql_real_escape_string($user)
);
$result = mysql_fetch_array(mysql_query($sql));

Upvotes: 1

Galen

Reputation: 30170

Yes, they are the same

http://php.net/manual/en/function.sprintf.php

Upvotes: 1

Are these mysql_real_escape_string usages same?

Answers (3)

Related Questions