mysql_real_escape_string frente a mysql_escape_string frente a otra función [cerrado]

yo suelo mysql_real_escape_string for better security. For better mysql performance I now thinking about replacing it.

I found detailed explanation about mysql_real_escape_string y mysql_escape_string in mysql_escape_string VS mysql_real_escape_string.

Mi pregunta es:

If I use persistent connection and know character set (only UTF-8), is there any way to replace mysql_real_escape_string with something that not use mysql?

preguntado el 03 de enero de 13 a las 18:01

Don't use any of them. The mysql_* las funciones serán obsoleto en PHP 5.5. No se recomienda para escribir código nuevo, ya que se eliminará en el futuro. En cambio, o bien el MySQLi or PDO y ser un mejor desarrollador de PHP. -

You shouldn't be using the mysql_*() functions to begin with. Switch to mysqli or PDO, and used prepared statements with placeholders. 99% of the time, you won't even have go anywhere NEAR escaping stuff yourself. -

You are not going to optimize mysql querys with mysql_real_escape_string. If you want to optimize, look into your mysql tables. Set the right indexes and look at your queries. -

I know about depreceated in PHP 5.5 but it is very big application with high load of traffic. Definitely not be rewriten to MySQLi now, this will be done in future version. -

The problem you ask about is likely to be a personal problem. I doubt that it is of any use to ask it here publicly. I suggest you call mysql professional support at either Oracle or a profound, independent consultation company and get all your little, dippy questions answered and even the source-code behind all this explained in a language understandable to you. That should then help you to base a (personal) decision on (a professional consultation company will likely deny to make much of a suggestion anyway). -

2 Respuestas

Lo primero, STOP usar mysql_query and related functions. It's deprecated in PHP 5.5 and will produce warnings when used because you should not be using it at all.

En segundo lugar, siempre utilizado mysql_real_escape_string and only that to escape your values. Don't even think about trying another method. It's ugly, annoying, and just one of many reasons why you shouldn't be using mysql_query to start with. Don't roll your own. Don't look for faster alternatives because there aren't any that are safe to use.

At the earliest possible opportunity, switch to PDO. The conversion cost may be significant if your application is in a severe state of disrepair, but if applied correctly, in a disciplined fashion, the chance of having a SQL injection bug is near zero.

If you're having performance problems with the escaping functions, I have no idea what you're doing, but you're probably doing it wrong. These are usually near zero cost unless you're literally doing millions of them per page load. The execution time of the query you render is almost always significantly longer than the time it takes to prepare the statement itself.

Respondido el 03 de enero de 13 a las 18:01

Use parameterized queries from the MySQLi library; there has previously been bugs in the escaping routine, and it's possible that some could appear again. Parameterizing the query is much, much harder to mess up, so it's less likely that you can get compromised by a MySQL bug.

Respondido el 03 de enero de 13 a las 18:01

mysqli is pretty junk compared to PDO but it's a lot better than ye-olde mysql_query - tadman

@tadman: Get over it. It's very fine, does more than PDO and even has Iterators in PHP 5.4. So what is actually the difference where it is junk? (Not saying you should favor it, there are reasons to use the one or other, but "being junk" is just plain wrong). - hakré

It works just as well in practice, but PDO has support for named placeholders which makes auditing your statements significantly easier, avoiding the problem of getting the order of your binding calls messed up. mysqli is a good fallback if PDO is not available, but otherwise it is not measurably better. - tadman

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.