why can't I used the mysqli_escape_string function without having a database connection?
-
injection isn't possible without a database connection so what exactly is your question asking?Matt– Matt2016-06-16 16:54:34 +00:00Commented Jun 16, 2016 at 16:54
-
5Because it's the database that knows how quote characters, etc should be escaped, not PHP; so PHP lets the database do itMark Baker– Mark Baker2016-06-16 16:55:38 +00:00Commented Jun 16, 2016 at 16:55
-
updated the questionSimon Suh– Simon Suh2016-06-16 17:04:06 +00:00Commented Jun 16, 2016 at 17:04
-
Please take a close look at my answer, especially #2 and #3. Asking this question makes me assume you are having some sort of architectural issue in your project. Feel free to comment on what it is.bytecode77– bytecode772016-06-16 17:18:38 +00:00Commented Jun 16, 2016 at 17:18
Add a comment
|
2 Answers
From the documentation:
Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection
It has to have a connection so that it knows what charset the database is using so it can use the right rules for escaping the data.
Comments
The Answer of Quentin boils it down to an essence.
I would also like to add, that
- As Quentin already mentioned, the charset is only known in the context of an active connection - and is essential to escaping.
- and usually, the connection object should be available to any part of your code requiring it. Whenever you need to escape, you most likely also need to use the connection, too. If your issue is "the connection object is not reachable at this part of my code", then you should definitely work on that!
- And please please don't try to replicate the behavior of
mysqli_escape_stringyourself in PHP! This only makes it potentially vulnerable to attackers. Don't assume it's as easy as to convert"to\"!
Please take a close look at #2 and #3. Asking this question makes me assume you are having some sort of architectural issue in your project.