|
mysql_real_escape_stringEscapes special characters in a string for use in an SQL statement Warning
This extension was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide. Alternatives to this function include:
Description
string mysql_real_escape_string(string
$unescaped_string , resource $link_identifier = NULL)
Escapes special characters in the
mysql_real_escape_string calls MySQL's library function
mysql_real_escape_string, which prepends backslashes to the following characters:
This function must always (with few exceptions) be used to make data safe before sending a query to MySQL. Caution
Security: the default character setThe character set must be set either at the server level, or with the API function mysql_set_charset for it to affect mysql_real_escape_string. See the concepts section on character sets for more information. Parameters
Return Values
Returns the escaped string, or Errors/Exceptions
Executing this function without a MySQL connection present will
also emit Examples
Example #1 Simple mysql_real_escape_string example
Example #2 mysql_real_escape_string requires a connection example This example demonstrates what happens if a MySQL connection is not present when calling this function.
The above example will output something similar to: Warning: mysql_real_escape_string(): No such file or directory in /this/test/script.php on line 5 Warning: mysql_real_escape_string(): A link to the server could not be established in /this/test/script.php on line 5 bool(false) string(41) "SELECT * FROM actors WHERE last_name = ''"
Example #3 An example SQL Injection Attack
The query sent to MySQL: SELECT * FROM users WHERE user='aidan' AND password='' OR ''='' This would allow anyone to log in without a valid password. Notes
See Also
|