php mysql_real_escape_string function usage and example tutorial_php basics
Escape special characters in unescaped_string, taking into account the current character's connection settings so that it is safe in place in mysql_query() it. If binary data is to be inserted, this function must be used
The following characters are affected:
- \x00
- \n
- \r
- \
- '
- "
- \x1a
If successful, this function returns the escaped string. If failed, returns false.
Syntax
mysql_real_escape_string(string,connection)
| Parameters | Description |
|---|---|
| string | Required. Specifies the string to be escaped. |
| connection | Optional. Specifies the MySQL connection. If not specified, the previous connection is used. |
Description
This function escapes special characters in a string and takes into account the current character set of the connection, so it is safe to use with mysql_query().
Tips and Notes
Tip: You can use this function to prevent database attacks.
Example
Example 1
$con = mysql_connect( "localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
//Get the code for username and password
//Escape username and password for use in SQL
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);
$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"
//More codes
mysql_close($con);
?>
Example 2
Database attack. This example shows what happens if we don't apply the mysql_real_escape_string() function to the username and password:
$con = mysql_connect( "localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
$sql = "SELECT * FROM users
WHERE user='{$_POST['user']}'
AND password='{$_POST['pwd']}'";
mysql_query($sql);
//Do not check username and password
// Can be anything entered by the user, for example:
$_POST['user'] = 'john';
$_POST['pwd'] = "' OR ''='";
//Some code...
mysql_close($con);
?>
Then the SQL query will become like this:
SELECT * FROM users
WHERE user='john' AND password='' OR ''='' This means that any user can log in without entering a valid password.
Example 3
Correct ways to prevent database attacks:
function check_input($value )
{
// Remove slashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// If not a number Then add quotation marks
if (!is_numeric($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error()) ;
}
// Perform secure SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = " SELECT * FROM users WHERE
user=$user AND password=$pwd";
mysql_query($sql);
mysql_close($con);
?>
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
MantisBT
Mantis is an easy-to-deploy web-based defect tracking tool designed to aid in product defect tracking. It requires PHP, MySQL and a web server. Check out our demo and hosting services.
VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft
SublimeText3 Linux new version
SublimeText3 Linux latest version
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
Dreamweaver CS6
Visual web development tools
