Search w3schools.com:

SHARE THIS PAGE

PHP mysql_real_escape_string() Function


PHP MySQL Reference Complete PHP MySQL Reference

Definition and Usage

The mysql_real_escape_string() function escapes special characters in a string for use in an SQL statement

The following characters are affected:

  • \x00
  • \n
  • \r
  • \
  • '
  • "
  • \x1a

This function returns the escaped string on success, or FALSE on failure.

Syntax

mysql_real_escape_string(string,connection)

Parameter Description
string Required. Specifies the string to be escaped
connection Optional. Specifies the MySQL connection. If not specified, the last connection opened by mysql_connect() or mysql_pconnect() is used.


Tips and Notes

Note: Use this function to prevent database attack!


Example 1

<?php
$con = mysql_connect("localhost", "peter", "abc123");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

// some code to get username and password

// escape username and password for use in SQL
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);

$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"

// more code

mysql_close($con);
?>


Example 2

Database attack. This example demonstrates what could happen if we do not use the mysql_real_escape_string() function on the username and password:

<?php
$con = mysql_connect("localhost", "peter", "abc123");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

$sql = "SELECT * FROM users
WHERE user='{$_POST['user']}'
AND password='{$_POST['pwd']}'";
mysql_query($sql);

// We didn't check username and password.
// Could be anything the user wanted! Example:
$_POST['user'] = 'john';
$_POST['pwd'] = "' OR ''='";

// some code

mysql_close($con);
?>

The SQL sent would be:

SELECT * FROM users
WHERE user='john' AND password='' OR ''=''

This means that anyone could log in without a valid password!


Example 3

The correct way to do it to prevent database attack:

<?php
function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
  {
  $value = stripslashes($value);
  }
// Quote if not a number
if (!is_numeric($value))
  {
  $value = "'" . mysql_real_escape_string($value) . "'";
  }
return $value;
}

$con = mysql_connect("localhost", "peter", "abc123");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

// Make a safe SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = "SELECT * FROM users WHERE
user=$user AND password=$pwd";

mysql_query($sql);

mysql_close($con);
?>


PHP MySQL Reference Complete PHP MySQL Reference

W3Schools Certification

W3Schools' Online Certification

The perfect solution for professionals who need to balance work, family, and career building.

More than 10 000 certificates already issued!

Get Your Certificate »

The HTML Certificate documents your knowledge of HTML.

The HTML5 Certificate documents your knowledge of advanced HTML5.

The CSS Certificate documents your knowledge of advanced CSS.

The JavaScript Certificate documents your knowledge of JavaScript and HTML DOM.

The jQuery Certificate documents your knowledge of jQuery.

The XML Certificate documents your knowledge of XML, XML DOM and XSLT.

The ASP Certificate documents your knowledge of ASP, SQL, and ADO.

The PHP Certificate documents your knowledge of PHP and SQL (MySQL).

Your suggestion:

Close [X]

Thank You For Helping Us!

Your message has been sent to W3Schools.

Close [X]