Escape special characters in unescaped_string, taking into account the current character's connection settings so that it is safe in place in mysql_query() it. If binary data is to be inserted, this function must be used
The following characters are affected:
If successful, this function returns the escaped string. If failed, returns false.
mysql_real_escape_string(string,connection)
Parameters | Description |
---|---|
string | Required. Specifies the string to be escaped. |
connection | Optional. Specifies the MySQL connection. If not specified, the previous connection is used. |
Description
This function escapes special characters in a string and takes into account the current character set of the connection, so it is safe to use with mysql_query().
Tips and Notes
Tip: You can use this function to prevent database attacks.
Example
Example 1
//Get the code for username and password
//Escape username and password for use in SQL
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);
$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"
//More codes
mysql_close($con);
?>
Example 2
Database attack. This example shows what happens if we don't apply the mysql_real_escape_string() function to the username and password:
$sql = "SELECT * FROM users
WHERE user='{$_POST['user']}'
AND password='{$_POST['pwd']}'";
mysql_query($sql);
//Do not check username and password
// Can be anything entered by the user, for example:
$_POST['user'] = 'john';
$_POST['pwd'] = "' OR ''='";
//Some code...
mysql_close($con);
?>
Then the SQL query will become like this:
SELECT * FROM users
WHERE user='john' AND password='' OR ''='' This means that any user can log in without entering a valid password.
Example 3
Correct ways to prevent database attacks:
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error()) ;
}
// Perform secure SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = " SELECT * FROM users WHERE
user=$user AND password=$pwd";
mysql_query($sql);
mysql_close($con);
?>