mysql_real_escape_string Escapes special characters in a string for use in a SQL statement, taking into account the current charset of the connection. stringmysql_real_escape_string stringunescaped_string resourcelink_identifier unescaped_string The string to escape link_identifier (optional) The mysql connection resource This function will escape special characters in the unescaped_string, taking into account the current charset of the connection so that it is safe to place it in a mysql_query. If you wish to insert binary data you must use this function. mysql_real_escape_string calls MySQL's library function of the same name, which prepends slashes to the following characters: NULL, \x00, \n, \r, \, ', " and \x1a. You must always (with few exceptions) use this function to make your data safe before inserting. If you have magic_quotes_gpc enabled, you must first stripslashes your data. If you don't use this, you'll leave yourself open to SQL Injection Attacks. Here's an example: ]]> The query sent to MySQL: This would allow anyone to log in without a valid password! Using mysql_real_escape_string around each variable prevents this. ]]> Our query is now safe no matter what the user submits! mysql_real_escape_string does not escape % and _. These are wildcards in MySQL if not bounded by quotes. See also mysql_client_encoding, addslashes, and the magic_quotes_gpc directive.