How to use mysqli_real_escape_string() function in PHP?

This article will introduce to you how to use the mysqli_real_escape_string() function in PHP. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to everyone.

mysqli_real_escape_string() function is a built-in function in PHP that is used to escape all special characters for use in SQL queries. Use this before inserting the string into the database as it removes any special characters that may interfere with the query operation.

When using simple strings, they may contain special characters such as backslashes and apostrophes (especially if they are fetching data directly from a form where such data was entered). These are considered part of the query string and interfere with its proper functioning.

<?php
  
$connection = mysqli_connect(
     "localhost" , "root" , "" , "Persons" ); 
         
// Check connection 
if (mysqli_connect_errno()) { 
     echo "Database connection failed." ; 
} 
   
$firstname = "Robert&#39;O" ;
$lastname = "O&#39;Connell" ;
   
$sql ="INSERT INTO Persons (FirstName, LastName) 
             VALUES ( &#39;$firstname&#39; , &#39;$lastname&#39; )";
   
   
if (mysqli_query( $connection , $sql )) {
      
     // Print the number of rows inserted in
     // the table, if insertion is successful
     printf( "%d row inserted.n" , $mysqli ->affected_rows);
}
else {
      
     // Query fails because the apostrophe in 
     // the string interferes with the query
     printf( "An error occurred!" );
}
   
?>

In the above code, the query fails because the apostrophe is considered part of the query when performed using mysqli_query(). The solution is to use mysqli_real_escape_string() before using the string in the query.

<?php
   
$connection = mysqli_connect(
         "localhost" , "root" , "" , "Persons" ); 
  
// Check connection 
if (mysqli_connect_errno()) { 
     echo "Database connection failed." ; 
} 
       
$firstname = "Robert&#39;O" ;
$lastname = "O&#39;Connell" ;
   
// Remove the special characters from the
// string using mysqli_real_escape_string
   
$lastname_escape = mysqli_real_escape_string(
                     $connection , $lastname );
                      
$firstname_escape = mysqli_real_escape_string(
                     $connection , $firstname );
   
$sql ="INSERT INTO Persons (FirstName, LastName)
             VALUES ( &#39;$firstname&#39; , &#39;$lastname&#39; )";
  
if (mysqli_query( $connection , $sql )) {
      
     // Print the number of rows inserted in
     // the table, if insertion is successful
     printf( "%d row inserted.n" , $mysqli ->affected_rows);
}
   
?>

The output is as follows:

1 row inserted.

The above is the detailed content of How to use mysqli_real_escape_string() function in PHP?. For more information, please follow other related articles on the PHP Chinese website!