php-mysql escaping

[birbal]

sample 1:

echo mysql_real_escape_string(somfunction());

sample 2:

echo mysql_escape_string(somfunction());

somefunction() is a function which returns a string.now when i am using sample 1 it is not returning any value..(echo nothing)but when i am using sample 2 it is returning and showing the desired value.even if i echo somefunction. it is also returning value.why is it happening?MORE1)i saw php.net manual they are saying that use mysql_real_escape_string instead of mysql_escape_string(). can any one tell me what is diffrenec beetwin these?2) instead of mysql_real_escape_string which is the best function to use to prevent sql injection and othe security threats?

[Fmdpa]

Yes, mysql_escape_string() is deprecated (meaning the use of it is highly discouraged, and the function will no longer be maintained). The difference is that mysql_real_escape_string() takes the character encoding of the database into consideration when escaping the characters. Because of this, you must have an open connection with the database in order to use this function. I am guessing that the reason mysql_escape_string() is working and mysql_real_escape_string() is not working is because you are not connected to the database, and the former function does not require that connection while the latter does. Try this:

mysql_connect('localhost','root','pswd'); //change these values appropriately to represent your connection infomysql_select_db('database'); //change this to the database nameecho mysql_real_escape_string(somfunction());