PHP mysqli: real_escape_string() function
mysqli_real_escape_string() function / mysqli::real_escape_string
The mysqli_real_escape_string() function / mysqli::real_escape_string escapes special characters in a string for use in an SQL statement.
Syntax:
Object oriented style
string mysqli::escape_string ( string $escapestr )
string mysqli::real_escape_string ( string $escapestr )
Procedural style
string mysqli_real_escape_string ( mysqli $link , string $escapestr )
Parameter:
| Name | Description | Required/Optional | |
|---|---|---|---|
| link | A link identifier returned by mysqli_connect() or mysqli_init() | Required for procedural style only and Optional for Object oriented style | |
| escapestr | The string to be escaped. Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z. |
Required | |
Usage: Procedural style
mysqli_real_escape_string(connection,escapestring);
Parameter:
| Name | Description | Required/Optional |
|---|---|---|
| connection | Specifies the MySQL connection to use | Required |
| escapestring | The string to be escaped. Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z. | Required |
Return value:
Returns an escaped string.
Version: PHP 5, PHP 7
Example of object oriented style:
<?php
$mysqli = new mysqli("localhost", "user1", "datasoft123", "hr");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");
$city = "Kalkata";
/* this query will fail, cause we didn't escape $city */
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
printf("Error: %s\n", $mysqli->sqlstate);
}
$city = $mysqli->real_escape_string($city);
/* this query with escaped $city will work */
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
printf("%d Row inserted.\n", $mysqli->affected_rows);
}
$mysqli->close();
?>
Example of procedural style:
<?php
$link = mysqli_connect("localhost", "user1", "datasoft123", "hr");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
mysqli_query($link, "CREATE TEMPORARY TABLE myCity LIKE City");
$city = "Kalkata";
/* this query will fail, cause we didn't escape $city */
if (!mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
printf("Error: %s\n", mysqli_sqlstate($link));
}
$city = mysqli_real_escape_string($link, $city);
/* this query with escaped $city will work */
if (mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
printf("%d Row inserted.\n", mysqli_affected_rows($link));
}
mysqli_close($link);
?>
Output:
Error: 42000 1 Row inserted.
See also
Previous: real_connect
Next: real_query