PHP mysqli: real_escape_string() function
mysqli_real_escape_string() function / mysqli::real_escape_string
The mysqli_real_escape_string() function / mysqli::real_escape_string escapes special characters in a string for use in an SQL statement.
Syntax:
Object oriented style
string mysqli::escape_string ( string $escapestr )
string mysqli::real_escape_string ( string $escapestr )
Procedural style
string mysqli_real_escape_string ( mysqli $link , string $escapestr )
Parameter:
| Name | Description | Required/Optional | |
|---|---|---|---|
| link | A link identifier returned by mysqli_connect() or mysqli_init() | Required for procedural style only and Optional for Object oriented style | |
| escapestr | The string to be escaped. Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z. |
Required | |
Usage: Procedural style
mysqli_real_escape_string(connection,escapestring);
Parameter:
| Name | Description | Required/Optional |
|---|---|---|
| connection | Specifies the MySQL connection to use | Required |
| escapestring | The string to be escaped. Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z. | Required |
Return value:
Returns an escaped string.
Version: PHP 5, PHP 7
Example of object oriented style:
<?php
$mysqli = new mysqli("localhost", "user1", "datasoft123", "hr");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");
$city = "Kalkata";
/* this query will fail, cause we didn't escape $city */
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
printf("Error: %s\n", $mysqli->sqlstate);
}
$city = $mysqli->real_escape_string($city);
/* this query with escaped $city will work */
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
printf("%d Row inserted.\n", $mysqli->affected_rows);
}
$mysqli->close();
?>
Example of procedural style:
<?php
$link = mysqli_connect("localhost", "user1", "datasoft123", "hr");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
mysqli_query($link, "CREATE TEMPORARY TABLE myCity LIKE City");
$city = "Kalkata";
/* this query will fail, cause we didn't escape $city */
if (!mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
printf("Error: %s\n", mysqli_sqlstate($link));
}
$city = mysqli_real_escape_string($link, $city);
/* this query with escaped $city will work */
if (mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
printf("%d Row inserted.\n", mysqli_affected_rows($link));
}
mysqli_close($link);
?>
Output:
Error: 42000 1 Row inserted.
See also
Previous: real_connect
Next: real_query
PHP: Tips of the Day
To use the constant simply use its name:
Example:
if (EARTH_IS_FLAT) {
print "Earth is flat";
}
print APP_ENV_UPPERCASE;
Output:
or if you don't know the name of the constant in advance, use the constant function:
// this code is equivalent to the above code
$const1 = "EARTH_IS_FLAT";
$const2 = "APP_ENV_UPPERCASE";
if (constant($const1)) {
print "Earth is flat";
}
print constant($const2);
Output:
- Weekly Trends
- Java Basic Programming Exercises
- SQL Subqueries
- Adventureworks Database Exercises
- C# Sharp Basic Exercises
- SQL COUNT() with distinct
- JavaScript String Exercises
- JavaScript HTML Form Validation
- Java Collection Exercises
- SQL COUNT() function
- SQL Inner Join
- JavaScript functions Exercises
- Python Tutorial
- Python Array Exercises
- SQL Cross Join
- C# Sharp Array Exercises
We are closing our Disqus commenting system for some maintenanace issues. You may write to us at reach[at]yahoo[dot]com or visit us at Facebook