I'm doing a login, and in my php, to escape characters I do not know if it is advisable to do with mysql_real_escape_string() .
<?php
session_start();
$conexion = new mysqli("localhost","username","password","DB");
if (!$conexion) {
die("Error al conectar con la base de datos ".$conexion->conect_error);
}
$consulta = "SELECT * FROM login";
$resultado = $conexion->query($consulta);
if($resultado->num_rows > 0){
while($row = $resultado->fetch_assoc()){
$usuario = $_POST['texto_login'];
$usuario1 = mysql_real_scape_string($usuario,$conexion);
$contrasena = $_POST['contrasena_login'];
$contrasena1 = mysql_real_scape_string($contrasena,$conexion);
$contrasena_sha = hash("sha512", $contrasena1);
if ($usuario == $row['Usuario'] && $contrasena_sha == $row['Contrasena']) {
$_SESSION = $usuario;
echo "ok";
}
}
}
$conexion->close();
?>
or
$conexion ->real_escape_string()
<?php
session_start();
$conexion = new mysqli("localhost","username","password","DB");
if (!$conexion) {
die("Error al conectar con la base de datos ".$conexion->conect_error);
}
$consulta = "SELECT * FROM login";
$resultado = $conexion->query($consulta);
if($resultado->num_rows > 0){
while($row = $resultado->fetch_assoc()){
$usuario = $_POST['texto_login'];
$usuario1 = $conexion->real_escape_string($usuario);
$contrasena = $_POST['contrasena_login'];
$contrasena1 = $conexion->real_escape_string($contrasena);
$contrasena_sha = hash("sha512", $contrasena1);
if ($usuario == $row['Usuario'] && $contrasena_sha == $row['Contrasena']) {
$_SESSION = $usuario;
echo "ok";
}
}
}
$conexion->close();
?>
Actually, I do not know which one to use, since the official PHP page says that the mysys_live_string () 'is the previous version 5.5.0 and 7.0.0, and actually, I use the mysql and it works well for me , that is, it protects me from basic sql injections. Also in my case I use mysqli for connection to the database.