Alternative to mysql_real_escape_string without connecting to DB

php mysql mysql-real-escape-string
Viet picture Viet · Jul 22, 2009 · Viewed 121.2k times · Source

I'd like to have a function behaving as mysql_real_escape_string without connecting to database as at times I need to do dry testing without DB connection. mysql_escape_string is deprecated and therefore is undesirable. Some of my findings:

http://www.gamedev.net/community/forums/topic.asp?topic_id=448909

http://w3schools.invisionzone.com/index.php?showtopic=20064

Answer

too much php picture too much php · Jul 22, 2009

It is impossible to safely escape a string without a DB connection. mysql_real_escape_string() and prepared statements need a connection to the database so that they can escape the string using the appropriate character set - otherwise SQL injection attacks are still possible using multi-byte characters.

If you are only testing, then you may as well use mysql_escape_string(), it's not 100% guaranteed against SQL injection attacks, but it's impossible to build anything safer without a DB connection.

Related questions

Should I use mysqli_real_escape string() or mysql_real_escape_string() for form data?

Possible Duplicate: mysql_escape_string VS mysql_real_escape_string I need to get company_name (given by user through a form) entered into my mysql database. When I use $company = mysqli_real_escape_string($_POST['company_name']) I get …

Read More
How to use mysql_real_escape_string function in PHP

So in this program I'm writing, I actually grab a SQL query from the user using a form. I then go on to run that query on my database. I know not to "trust" user input, so I want to …

Read More
PHP mysql_real_escape_string returns empty string

I'm trying to work a bit of security and sanitization into my databases application (for a class). to start off with, i'm trying to use mysql_real_escape_string, but whenever i use it, it always returns an empty string! …

Read More