mysqli::real_escape_string

mysqli_real_escape_string

(PHP 5, PHP 7, PHP 8)

mysqli::real_escape_string -- mysqli_real_escape_stringEscapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection

Description

Object-oriented style

public mysqli::real_escape_string(string $string): string

Procedural style

mysqli_real_escape_string(mysqli $mysql, string $string): string

This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to produce an escaped SQL string, taking into account the current character set of the connection.

Caution

Security: the default character set

The character set must be set either at the server level, or with the API function mysqli_set_charset() for it to affect mysqli_real_escape_string(). See the concepts section on character sets for more information.

Parameters

mysql

Procedural style only: A mysqli object returned by mysqli_connect() or mysqli_init()

string

The string to be escaped.

Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z.

Return Values

Returns an escaped string.

Examples

Example #1 mysqli::real_escape_string() example

Object-oriented style

<?php

mysqli_report
(MYSQLI_REPORT_ERROR MYSQLI_REPORT_STRICT);
$mysqli = new mysqli("localhost""my_user""my_password""world");

$city "'s-Hertogenbosch";

/* this query with escaped $city will work */
$query sprintf("SELECT CountryCode FROM City WHERE name='%s'",
    
$mysqli->real_escape_string($city));
$result $mysqli->query($query);
printf("Select returned %d rows.\n"$result->num_rows);

/* this query will fail, because we didn't escape $city */
$query sprintf("SELECT CountryCode FROM City WHERE name='%s'"$city);
$result $mysqli->query($query);

Procedural style

<?php

mysqli_report
(MYSQLI_REPORT_ERROR MYSQLI_REPORT_STRICT);
$mysqli mysqli_connect("localhost""my_user""my_password""world");

$city "'s-Hertogenbosch";

/* this query with escaped $city will work */
$query sprintf("SELECT CountryCode FROM City WHERE name='%s'",
    
mysqli_real_escape_string($mysqli$city));
$result mysqli_query($mysqli$query);
printf("Select returned %d rows.\n"mysqli_num_rows($result));

/* this query will fail, because we didn't escape $city */
$query sprintf("SELECT CountryCode FROM City WHERE name='%s'"$city);
$result mysqli_query($mysqli$query);

The above examples will output something similar to:

Select returned 1 rows.

Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's-Hertogenbosch'' at line 1 in...

See Also

Here you can write a comment


Please enter at least 10 characters.
Loading... Please wait.
* Pflichtangabe
There are no comments available yet.

PHP cURL Tutorial: Using cURL to Make HTTP Requests

cURL is a powerful PHP extension that allows you to communicate with different servers using various protocols, including HTTP, HTTPS, FTP, and more. ...

TheMax

Autor : TheMax
Category: PHP-Tutorials

Midjourney Tutorial - Instructions for beginners

There is an informative video about Midjourney, the tool for creating digital images using artificial intelligence, entitled "Midjourney tutorial in German - instructions for beginners" ...

Mike94

Autor : Mike94
Category: KI Tutorials

Basics of views in MySQL

Views in a MySQL database offer the option of creating a virtual table based on the result of an SQL query. This virtual table can be queried like a normal table without changing the underlying data. ...

admin

Autor : admin
Category: mySQL-Tutorials

Publish a tutorial

Share your knowledge with other developers worldwide

Share your knowledge with other developers worldwide

You are a professional in your field and want to share your knowledge, then sign up now and share it with our PHP community

learn more

Publish a tutorial