mysql_real_escape_stringEscapes special characters in a string for use in a SQL statement
&reftitle.description;
stringmysql_real_escape_stringstringunescaped_stringresourcelink_identifier
Escapes special characters in the unescaped_string,
taking into account the current character set of the connection so that it
is safe to place it in a mysql_query. If binary data
is to be inserted, this function must be used.
mysql_real_escape_string calls MySQL's library function
mysql_real_escape_string, which prepends backslashes to the following characters:
\x00, \n,
\r, \, ',
" and \x1a.
This function must always (with few exceptions) be used to make data
safe before sending a query to MySQL.
&reftitle.parameters;
unescaped_string
The string that is to be escaped.
&mysql.linkid.description;
&reftitle.returnvalues;
Returns the escaped string, or &false; on error.
&reftitle.examples;
Simple <function>mysql_real_escape_string</function> example
]]>
An example SQL Injection Attack
]]>
The query sent to MySQL:
This would allow anyone to log in without a valid password.
A "Best Practice" query
Using mysql_real_escape_string around each variable
prevents SQL Injection. This example demonstrates the "best practice"
method for querying a database, independent of the
Magic Quotes setting.
0) {
echo "Product inserted\n";
}
}
} else {
echo "Fill the form properly\n";
}
?>
]]>
The query will now execute correctly, and SQL Injection attacks will not work.
&reftitle.notes;
A MySQL connection is required before using
mysql_real_escape_string otherwise an error of
level E_WARNING is generated, and &false; is
returned. If link_identifier isn't defined, the
last MySQL connection is used.
If magic_quotes_gpc is enabled,
first apply stripslashes to the data. Using this function
on data which has already been escaped will escape the data twice.
If this function is not used to escape data, the query is vulnerable to
SQL Injection Attacks.
mysql_real_escape_string does not escape
% and _. These are wildcards in
MySQL if combined with LIKE, GRANT,
or REVOKE.
&reftitle.seealso;
mysql_client_encodingaddslashesstripslashesThe magic_quotes_gpc directiveThe magic_quotes_runtime directive