mysqli_real_escape_string()

[eluser]Tyrael[/eluser]
codeigniter This function is deprecated; use mysql_real_escape_string() instead.
I'm using the latest CI and mysql with mysqli library.
the escape_str in the mysqli driver:

function escape_str($str)
{
if (function_exists('mysqli_real_escape_string') AND is_resource($this->conn_id))
{
return mysqli_real_escape_string($this->conn_id, $str);
}
elseif (function_exists('mysql_escape_string'))
{
return mysql_escape_string($str);
}
else
{
return addslashes($str);
}
}

So the CI must specify the connection id in the mysqli driver class, or else it will not use the mysqli_real_escape_string function, and this will generate a Warning.

Tyrael

[eluser]Seppo[/eluser]
I don't understand what you say. Can you explain? When will a warning come up?

[eluser]Tyrael[/eluser]
set your default db connection dbdriver setting to:
$db['default']['dbdriver'] = "mysqli";
then run a query with some params what needs to be escaped.

Tyrael

[eluser]Seppo[/eluser]
Using mysqli driver
$this->db->query('SELECT * FROM test WHERE "1" = ?', array('1'));

produces
SELECT * FROM test WHERE "1" = '1'

as expected... can you copy the warning you are getting?

[eluser]Tyrael[/eluser]
$this->db->query('SELECT CONCAT(?, ?)', array('?_(GQOoV', '?_(GQOoV'));

A PHP Error was encountered

Severity: Warning

Message: mysql_escape_string() [function.mysql-real-escape-string]: This function is deprecated; use mysql_real_escape_string() instead.

Filename: mysqli/mysqli_driver.php

Line Number: 258
A PHP Error was encountered

Severity: Warning

Message: mysql_escape_string() [function.mysql-real-escape-string]: This function is deprecated; use mysql_real_escape_string() instead.

Filename: mysqli/mysqli_driver.php

Line Number: 258


my database.php:

$active_group = "default";
$active_record = TRUE;

$db['default']['hostname'] = "localhost";
$db['default']['username'] = "asd";
$db['default']['password'] = "bsd";
$db['default']['database'] = "asd";
$db['default']['dbdriver'] = "mysqli";
$db['default']['dbprefix'] = "";
$db['default']['pconnect'] = TRUE;
$db['default']['db_debug'] = TRUE;
$db['default']['cache_on'] = FALSE;
$db['default']['cachedir'] = "";
$db['default']['char_set'] = "utf8";
$db['default']['dbcollat'] = "utf8_hungarian_ci";


Tyrael

[eluser]Seppo[/eluser]
I actually have mysqli_real_escape_string function, so I wan't getting there... but also I'm not getting the warning... Even with

Code:

<?php
error_reporting(E_ALL | E_STRICT);
echo mysql_escape_string("Hello");
?>

I am getting it OK... but probably an @ before calling the function won't hurt anyone...

Can I know your PHP version?

[eluser]Tyrael[/eluser]
the $this->conn_id is set, but its a mysqli_object, not a resource, so the
if (function_exists('mysqli_real_escape_string') AND is_resource($this->conn_id))
condition will never be true.
I replaced it with
if (function_exists('mysqli_real_escape_string') AND !empty($this->conn_id))

Tyrael

[eluser]Seppo[/eluser]
You are SO right...
Please report it in bug tracker

[eluser]Tyrael[/eluser]
done

Tyrael

[eluser]Daniel MC[/eluser]
I have a problem with this function mysql_real_escape_string() in mysql driver, I hope you can help me with this.
The code is this:

Code:

/**
     * Escape String
     *
     * @access    public
     * @param    string
     * @return    string
     */
    function escape_str($str, $like = FALSE)    
    {    
        if (is_array($str))
        {
            foreach($str as $key => $val)
               {
                $str[$key] = $this->escape_str($val, $like);
               }
          
               return $str;
           }

        if (function_exists('mysql_real_escape_string') AND is_resource($this->conn_id))
        {
            $str = mysql_real_escape_string($str, $this->conn_id);
        }
        elseif (function_exists('mysql_escape_string'))
        {
            $str = mysql_escape_string($str);
        }
        else
        {
            $str = addslashes($str);
        }
        
        // escape LIKE condition wildcards
        if ($like === TRUE)
        {
            $str = str_replace(array('%', '_'), array('\\%', '\\_'), $str);
        }
        
        return $str;
    }

In the attachment I show the error.