php-doc-en/reference/mysql/functions/mysql-real-escape-string.xml

<?xml version="1.0" encoding="iso-8859-1"?>
<!-- $Revision: 1.19 $ -->
<!-- splitted from ./en/functions/mysql.xml, last change in rev 1.100 -->
  <refentry id="function.mysql-real-escape-string">
   <refnamediv>
    <refname>mysql_real_escape_string</refname>
    <refpurpose>
     Escapes special characters in a string for use in a SQL statement
    </refpurpose>
   </refnamediv>
   <refsect1>
    <title>Description</title>
    <methodsynopsis>
     <type>string</type><methodname>mysql_real_escape_string</methodname>
     <methodparam><type>string</type><parameter>unescaped_string</parameter></methodparam>
     <methodparam choice="opt"><type>resource</type><parameter>link_identifier</parameter></methodparam>
    </methodsynopsis>
    <para>
     <variablelist>
      <varlistentry>
       <term><parameter>unescaped_string</parameter></term>
       <listitem><simpara>The string to escape</simpara>
       </listitem>
      </varlistentry>
      <varlistentry>
       <term><parameter>link_identifier</parameter> (optional)</term>
       <listitem><simpara>The mysql connection resource</simpara></listitem>
      </varlistentry>
     </variablelist>
    </para>
    <para>
     This function will escape special characters in the
     <parameter>unescaped_string</parameter>, taking into account the current
     character set of the connection so that it is safe to place it in a
     <function>mysql_query</function>. If binary data is to be inserted, this function
     must be used.
    </para>
    <para>
     <function>mysql_real_escape_string</function> calls MySQL's library function
     mysql_escape_string, which prepends backslashes to the following characters:
     <literal>NULL</literal>, <literal>\x00</literal>, <literal>\n</literal>,
     <literal>\r</literal>, <literal>\</literal>, <literal>'</literal>,
     <literal>"</literal> and <literal>\x1a</literal>.
    </para>
    <para>
     <example>
      <title>Simple <function>mysql_real_escape_string</function> example</title>
      <programlisting role="php">
<![CDATA[
<?php
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
    OR die(mysql_error());

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));
?>
]]>
      </programlisting>
     </example>
    </para>
    <para>
     This function must always (with few exceptions) be used to make data
     safe before sending a query to MySQL.
    </para>
    <note>
     <para>
      If <link linkend="ini.magic-quotes-gpc">magic_quotes_gpc</link> is enabled,
      first apply <function>stripslashes</function> to the data. Using this function
      on data which has already been escaped will escape the data twice.
     </para>
    </note>
    <para>
     If this function is not used to escape data, the query is vulnerable to
     <link linkend="security.database.sql-injection">SQL Injection Attacks</link>.
    </para>
    <para>
     <example>
      <title>An example SQL Injection Attack</title>
      <programlisting role="php">
<![CDATA[
<?php
// Query database to check if there are any matching users
$query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'";
mysql_query($query);

// We didn't check $_POST['password'], it could be anything the user wanted! For example:
$_POST['username'] = 'aidan';
$_POST['password'] = "' OR 1=1";

// This means the query sent to MySQL would be:
echo $query;
?>
]]>
      </programlisting>
       <para>
        The query sent to MySQL:
       </para>
      <screen>
<![CDATA[
SELECT * FROM users WHERE name='aidan' AND password='' OR 1=1
]]>
      </screen>
      <para>
       This would allow anyone to log in without a valid password.
      </para>
     </example>
    </para>
    <para>
     <example>
      <title>A "Best Practice" query</title>
      <para>
       Using <function>mysql_real_escape_string</function> around each variable
       prevents SQL Injection. This example demonstrates the "best practice"
       method for querying a database, independent of the
       <link linkend="security.magicquotes">Magic Quotes</link> setting.
      </para>
      <programlisting role="php">
<![CDATA[
<?php
// Quote variable to make safe
function quote_smart($value)
{
    // Stripslashes
    if (get_magic_quotes_gpc()) {
        $value = stripslashes($value);
    }
    // Quote if not integer
    if (!is_numeric($value)) {
        $value = "'" . mysql_real_escape_string($value) . "'";
    }
    return $value;
}

// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
    OR die(mysql_error());

// Make a safe query
$query = sprintf("SELECT * FROM users WHERE user=%s AND password=%s",
            quote_smart($_POST['username']),
            quote_smart($_POST['password']));

mysql_query($query);
?>
]]>
      </programlisting>
      <para>
       The query will now execute correctly, and SQL Injection attacks will not work.
      </para>
     </example>
    </para>
    <note>
     <simpara>
      <function>mysql_real_escape_string</function> does not escape
      <literal>%</literal> and <literal>_</literal>. These are wildcards in
      MySQL if combined with <literal>LIKE</literal>, <literal>GRANT</literal>,
      or <literal>REVOKE</literal>.
     </simpara>
    </note>
    <para>
     See also
     <function>mysql_client_encoding</function>,
     <function>addslashes</function>,
     <function>stripslashes</function>,
     the <link linkend="ini.magic-quotes-gpc">magic_quotes_gpc</link>,
     and the
     <link linkend="ini.magic-quotes-runtime">magic_quotes_runtime</link>
     directive.
    </para>
   </refsect1>
  </refentry>

<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
sgml-omittag:t
sgml-shorttag:t
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:1
sgml-indent-data:t
indent-tabs-mode:nil
sgml-parent-document:nil
sgml-default-dtd-file:"../../../../manual.ced"
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
vim600: syn=xml fen fdm=syntax fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1
-->