AsyncMysqlConnection::escapeString

Escape a string to be safe to include in a raw query.

Description

public function escapeString(
  string $data,
): string

Escape a string to be safe to include in a raw query.

Use this method to ensure your query is safe from, for example, SQL injection if you are not using an API that automatically escapes queries.

We strongly recommend using queryf() instead, which automatically escapes string parameters.

This method is equivalent to PHP's mysql_real_escape_string().

Parameters

  • string $data - The string to properly escape.

Return Values

  • string - The escaped string.

Examples

The following example shows you how to use AsyncMysqlConnection::escapeString in order to make sure any string pass to something like AsyncMysqlConnection::query is safe for a database query. This is similar to mysql_real_escape_string.

We strongly recommend using an API like AsyncMysqlConnection::queryf instead, which automatically escapes strings passed to %s placeholders.

<?hh

namespace Hack\UserDocumentation\API\Examples\AsyncMysql\Conn\EscapeString;

use \Hack\UserDocumentation\API\Examples\AsyncMysql\ConnectionInfo as CI;

async function connect(\AsyncMysqlConnectionPool $pool):
  Awaitable<\AsyncMysqlConnection> {
  return await $pool->connect(
    CI::$host,
    CI::$port,
    CI::$db,
    CI::$user,
    CI::$passwd
  );
}

async function get_data(\AsyncMysqlConnection $conn, string $name):
  Awaitable<\AsyncMysqlQueryResult> {
  /* DON'T DO THIS!
   *
   * Use AsyncMysqlConnection::queryf() instead, which automatically escapes
   * strings for %s placeholders.
   */
  $escaped_name = $conn->escapeString($name);
  var_dump($escaped_name);
  return await $conn->query(
    'SELECT age FROM test_table where name = '.$escaped_name,
  );
}
async function simple_query(): Awaitable<int> {
  $pool = new \AsyncMysqlConnectionPool(array());
  $conn = await connect($pool);
  $result = await get_data($conn, 'Joel Marcey');
  $x = $result->numRows();
  $result = await get_data($conn, 'Daffy\nDuck');
  $conn->close();
  return $x + $result->numRows();
}

function run(): void {
  $r = \HH\Asio\join(simple_query());
}

run();
Output
string(11) "Joel Marcey"
string(12) "Daffy\\nDuck"