PHP mysqli: real_escape_string() function

Last update on August 19 2022 21:51:15 (UTC/GMT +8 hours)

mysqli_real_escape_string() function / mysqli::real_escape_string

The mysqli_real_escape_string() function / mysqli::real_escape_string escapes special characters in a string for use in an SQL statement.

Syntax:

Object oriented style

string mysqli::escape_string ( string $escapestr )

string mysqli::real_escape_string ( string $escapestr )

Procedural style

string mysqli_real_escape_string ( mysqli $link , string $escapestr )

Parameter:

Name	Description		Required/Optional
link	A link identifier returned by mysqli_connect() or mysqli_init()		Required for procedural style only and Optional for Object oriented style
escapestr	The string to be escaped. Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z.		Required

Usage: Procedural style

mysqli_real_escape_string(connection,escapestring);

Parameter:

Name	Description	Required/Optional
connection	Specifies the MySQL connection to use	Required
escapestring	The string to be escaped. Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z.	Required

Return value:

Returns an escaped string.

Version: PHP 5, PHP 7

Example of object oriented style:

<?php
$mysqli = new mysqli("localhost", "user1", "datasoft123", "hr");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");

$city = "Kalkata";

/* this query will fail, cause we didn't escape $city */
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    printf("Error: %s\n", $mysqli->sqlstate);
}

$city = $mysqli->real_escape_string($city);

/* this query with escaped $city will work */
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    printf("%d Row inserted.\n", $mysqli->affected_rows);
}

$mysqli->close();
?>

Example of procedural style:

<?php
$link = mysqli_connect("localhost", "user1", "datasoft123", "hr");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

mysqli_query($link, "CREATE TEMPORARY TABLE myCity LIKE City");

$city = "Kalkata";

/* this query will fail, cause we didn't escape $city */
if (!mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
    printf("Error: %s\n", mysqli_sqlstate($link));
}

$city = mysqli_real_escape_string($link, $city);

/* this query with escaped $city will work */
if (mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
    printf("%d Row inserted.\n", mysqli_affected_rows($link));
}

mysqli_close($link);
?>

Output:

Error: 42000
1 Row inserted.

See also

PHP Function Reference

Previous: real_connect
Next: real_query

Weekly Trends and Language Statistics
Weekly Trends and Language Statistics