w3resource

PHP mysqli: real_escape_string() function

mysqli_real_escape_string() function / mysqli::real_escape_string

The mysqli_real_escape_string() function / mysqli::real_escape_string escapes special characters in a string for use in an SQL statement.

Syntax:

Object oriented style

string mysqli::escape_string ( string $escapestr )
string mysqli::real_escape_string ( string $escapestr )

Procedural style

string mysqli_real_escape_string ( mysqli $link , string $escapestr )

Parameter:

Name Description Required/Optional
link A link identifier returned by mysqli_connect() or mysqli_init() Required for procedural style only and Optional for Object oriented style
escapestr The string to be escaped.
Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z.
Required

Usage: Procedural style

mysqli_real_escape_string(connection,escapestring);

Parameter:

Name Description Required/Optional
connection Specifies the MySQL connection to use Required
escapestring The string to be escaped. Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z. Required

Return value:

Returns an escaped string.

Version: PHP 5, PHP 7

Example of object oriented style:

<?php
$mysqli = new mysqli("localhost", "user1", "datasoft123", "hr");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");

$city = "Kalkata";

/* this query will fail, cause we didn't escape $city */
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    printf("Error: %s\n", $mysqli->sqlstate);
}

$city = $mysqli->real_escape_string($city);

/* this query with escaped $city will work */
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    printf("%d Row inserted.\n", $mysqli->affected_rows);
}

$mysqli->close();
?>

Example of procedural style:

<?php
$link = mysqli_connect("localhost", "user1", "datasoft123", "hr");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

mysqli_query($link, "CREATE TEMPORARY TABLE myCity LIKE City");

$city = "Kalkata";

/* this query will fail, cause we didn't escape $city */
if (!mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
    printf("Error: %s\n", mysqli_sqlstate($link));
}

$city = mysqli_real_escape_string($link, $city);

/* this query with escaped $city will work */
if (mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
    printf("%d Row inserted.\n", mysqli_affected_rows($link));
}

mysqli_close($link);
?>

Output:

Error: 42000
1 Row inserted.

See also

PHP Function Reference

Previous: real_connect
Next: real_query



PHP: Tips of the Day

var_export(): var_export() dumps a PHP parseable representation of the item.

You can pass true as the second parameter to return the contents into a variable.

Example:

<?php
$myarray = [ "PHP", "Tips" ];
$mystring = "PHP Tips";
$myint = 28;

var_export($myarray);
var_export($mystring);
var_export($myint);
?>

Output:

array (
  0 => 'PHP',
  1 => 'Tips',
)'PHP Tips'28

To put the content into a variable, you can do this:

$array_export = var_export($myarray, true);
$string_export = var_export($mystring, true);
$int_export = var_export($myint, 1); // any `Truthy` value

After that, you can output it like this:

printf('$myarray = %s; %s', $array_export, PHP_EOL);
printf('$mystring = %s; %s', $string_export, PHP_EOL);
printf('$myint = %s; %s', $int_export, PHP_EOL);

Example:

<?php
$myarray = [ "PHP", "Tips" ];
$mystring = "PHP Tips";
$myint = 28;
$array_export = var_export($myarray, true);
$string_export = var_export($mystring, true);
$int_export = var_export($myint, 1);
printf('$myarray = %s; %s', $array_export, PHP_EOL);
printf('$mystring = %s; %s', $string_export, PHP_EOL);
printf('$myint = %s; %s', $int_export, PHP_EOL);
?>

This will produce the following output:

Output:

$myarray = array (
  0 => 'PHP',
  1 => 'Tips',
);
$mystring = 'PHP Tips';
$myint = 28;