PHP Basic
PHP HOME PHP Intro PHP Install PHP Syntax PHP Variables PHP String PHP Operators PHP If...Else PHP Switch PHP Arrays PHP Sorting Arrays PHP While Loops PHP For Loops PHP Functions PHP Forms PHP $_GET PHP $_POSTPHP Advanced
PHP Arrays Multi PHP Date PHP Include PHP File PHP File Upload PHP Cookies PHP Sessions PHP E-mail PHP Secure E-mail PHP Error PHP Exception PHP FilterPHP Database
PHP MySQL Intro PHP MySQL Connect PHP CREATE DB/Table PHP INSERT INTO PHP SELECT PHP WHERE PHP ORDER BY PHP UPDATE PHP DELETE PHP ODBCPHP XML
XML Expat Parser XML DOM XML SimpleXMLPHP and AJAX
AJAX Intro AJAX PHP AJAX Database AJAX XML AJAX Live Search AJAX RSS Reader AJAX PollPHP Reference
PHP Array PHP Calendar PHP Date PHP Directory PHP Error PHP Filesystem PHP Filter PHP FTP PHP HTTP PHP Libxml PHP Mail PHP Math PHP Misc PHP MySQLi PHP SimpleXML PHP String PHP XML PHP Zip PHP TimezonesPHP Quiz
PHP Quiz PHP CertificatePHP mysql_real_escape_string() Function
Complete PHP MySQL Reference
Definition and Usage
The mysql_real_escape_string() function escapes special characters in a string for use in an SQL statement
The following characters are affected:
- \x00
- \n
- \r
- \
- '
- "
- \x1a
This function returns the escaped string on success, or FALSE on failure.
Syntax
mysql_real_escape_string(string,connection)
| Parameter | Description |
|---|---|
| string | Required. Specifies the string to be escaped |
| connection | Optional. Specifies the MySQL connection. If not specified, the last connection opened by mysql_connect() or mysql_pconnect() is used. |
Tips and Notes
Note: Use this function to prevent database attack!
Example 1
<?php
$con = mysql_connect("localhost", "peter", "abc123");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
// some code to get username and password
// escape username and password for use in SQL
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);
$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"
// more code
mysql_close($con);
?>
$con = mysql_connect("localhost", "peter", "abc123");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
// some code to get username and password
// escape username and password for use in SQL
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);
$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"
// more code
mysql_close($con);
?>
Example 2
Database attack. This example demonstrates what could happen if we do not use the mysql_real_escape_string() function on the username and password:
<?php
$con = mysql_connect("localhost", "peter", "abc123");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
$sql = "SELECT * FROM users
WHERE user='{$_POST['user']}'
AND password='{$_POST['pwd']}'";
mysql_query($sql);
// We didn't check username and password.
// Could be anything the user wanted! Example:
$_POST['user'] = 'john';
$_POST['pwd'] = "' OR ''='";
// some code
mysql_close($con);
?>
$con = mysql_connect("localhost", "peter", "abc123");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
$sql = "SELECT * FROM users
WHERE user='{$_POST['user']}'
AND password='{$_POST['pwd']}'";
mysql_query($sql);
// We didn't check username and password.
// Could be anything the user wanted! Example:
$_POST['user'] = 'john';
$_POST['pwd'] = "' OR ''='";
// some code
mysql_close($con);
?>
The SQL sent would be:
SELECT * FROM users
WHERE user='john' AND password='' OR ''=''
WHERE user='john' AND password='' OR ''=''
This means that anyone could log in without a valid password!
Example 3
The correct way to do it to prevent database attack:
<?php
function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!is_numeric($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
$con = mysql_connect("localhost", "peter", "abc123");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
// Make a safe SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = "SELECT * FROM users WHERE
user=$user AND password=$pwd";
mysql_query($sql);
mysql_close($con);
?>
function check_input($value)
{
// Stripslashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!is_numeric($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
$con = mysql_connect("localhost", "peter", "abc123");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
// Make a safe SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = "SELECT * FROM users WHERE
user=$user AND password=$pwd";
mysql_query($sql);
mysql_close($con);
?>
Complete PHP MySQL Reference
W3Schools' Online Certification
The perfect solution for professionals who need to balance work, family, and career building.
More than 10 000 certificates already issued!
The HTML Certificate documents your knowledge of HTML.
The HTML5 Certificate documents your knowledge of advanced HTML5.
The CSS Certificate documents your knowledge of advanced CSS.
The JavaScript Certificate documents your knowledge of JavaScript and HTML DOM.
The jQuery Certificate documents your knowledge of jQuery.
The XML Certificate documents your knowledge of XML, XML DOM and XSLT.
The ASP Certificate documents your knowledge of ASP, SQL, and ADO.
The PHP Certificate documents your knowledge of PHP and SQL (MySQL).
Your suggestion:
Close [X]
Thank You For Helping Us!
Your message has been sent to W3Schools.
Close [X]
