Home > DeveloperSection > Forums > Why is PDO better for escaping MySQL queries/querystrings than mysql_real_escape_string?
ben reitman
ben reitman

Total Post:96

Points:676
Posted on    April-17-2013 2:03 AM

 PHP PHP 
Ratings:


 1 Reply(s)
 3285  View(s)
Rate this:
Hi Expert!

I've been told that I'd be better using PDO for MySQL escaping, rather than mysql_real_escape_string.

Maybe I'm having a brain-dead day (or it may be the fact I'm by no stretch of the imagination a natural programmer, and I'm still very much at the newbie stage when 

it comes to PHP), but having checked out the PHP manual and read the entry on PDO, I'm still no clearer as to what PDO actually is and why it's better than using 

mysql_real_escape_string. This may be because I've not really got to grips with the complexities of OOP yet (I'm assuming it's something to do with OOP), but other 

than the fact that variables and array values seem to have a colon infront of them, I'm still not sure what it actually is and how you use it (and why it's better 

than mysql_real_escape_string. (It also may have something to do with the fact that I don't really have a clear understanding of what 'classes' are, so when I read 

"PDO class" I'm none the wiser really).

Having read an article or two on the 'Developer Zone' bit of the MySQL website, I'm still no clearer. As I can't even figure out what it is at the moment, I think 

probably using it is a bit beyond me right now, but I'm still interested in broadening my education and finding out how I could improve things.

Could anyone explain to me in 'plain English' what PDO is (or point me in the direction of something on the subject written in plain English), and how you'd go about 

using it?

Advance thanks! 


AVADHESH PATEL

Total Post:604

Points:4228
Posted on    April-17-2013 9:13 AM

Hi Ben!

imagine you write something along the lines of:

$query = 'SELECT * FROM table WHERE id = ' . mysql_real_escape_string($id);
this will not save you from injections, because $id could be 1 OR 1=1 and you will get all the records from the table. you’d have to cast $id to the right datatype 

(int in that case)

pdo has another advantage, and that is the interchangability of database backends.

Don't want to miss updates? Please click the below button!

Follow MindStick