mysql_real_escape_string Escapes special characters in a string for use in a SQL statement, taking into account the current charset of the connection. stringmysql_real_escape_string stringunescaped_string resourcelink_identifier unescaped_string The string to escape link_identifier (optional) The mysql connection resource This function will escape special characters in the unescaped_string, taking into account the current charset of the connection so that it is safe to place it in a mysql_query. If you wish to insert binary data you must use this function. mysql_real_escape_string calls MySQL's library function (mysql_escape_string), which prepends slashes to the following characters: NULL, \x00, \n, \r, \, ', " and \x1a. ]]> You must always (with few exceptions) use this function to make your data safe before inserting. If you have magic_quotes_gpc enabled, you must first stripslashes your data. If you don't use this, you leave yourself open to SQL Injection Attacks. Here's an example: ]]> The query sent to MySQL: This would allow anyone to log in without a valid password! Using mysql_real_escape_string around each variable prevents this. ]]> The query will now execute correctly, and Injection attacks will no longer work. mysql_real_escape_string does not escape % and _. These are wildcards in MySQL if combined with LIKE. See also mysql_client_encoding, addslashes, and the magic_quotes_gpc directive.