Delicious Bookmark this on Delicious Share on Facebook SlashdotSlashdot It! Digg! Digg



PHP : Function Reference : MySQL Improved Extension : mysqli_real_escape_string

mysqli_real_escape_string

Escapes special characters in a string for use in a SQL statement, taking into account the current charset of the connection (PHP 5)
string mysqli_real_escape_string ( mysqli link, string escapestr )

Example 1541. Object oriented style

<?php
$mysqli
= new mysqli("localhost", "my_user", "my_password", "world");

/* check connection */
if (mysqli_connect_errno()) {
   
printf("Connect failed: %s\n", mysqli_connect_error());
   exit();
}

$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");

$city = "'s Hertogenbosch";

/* this query will fail, cause we didn't escape $city */
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
   
printf("Error: %s\n", $mysqli->sqlstate);
}

$city = $mysqli->real_escape_string($city);

/* this query with escaped $city will work */
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
   
printf("%d Row inserted.\n", $mysqli->affected_rows);
}

$mysqli->close();
?>

Example 1542. Procedural style

<?php
$link
= mysqli_connect("localhost", "my_user", "my_password", "world");

/* check connection */
if (mysqli_connect_errno()) {
   
printf("Connect failed: %s\n", mysqli_connect_error());
   exit();
}

mysqli_query($link, "CREATE TEMPORARY TABLE myCity LIKE City");

$city = "'s Hertogenbosch";

/* this query will fail, cause we didn't escape $city */
if (!mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
   
printf("Error: %s\n", mysqli_sqlstate($link));
}

$city = mysqli_real_escape_string($link, $city);

/* this query with escaped $city will work */
if (mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
   
printf("%d Row inserted.\n", mysqli_affected_rows($link));
}

mysqli_close($link);
?>

Code Examples / Notes » mysqli_real_escape_string

tobias_demuth

Note, that if no connection is open, mysqli_real_escape_string() will return an empty string!

arnoud

Note that this function will NOT escape _ (underscore) and % (percent) signs, which have special meanings in LIKE clauses.
As far as I know there is no function to do this, so you have to escape them yourself by adding a backslash in front of them.


Change Language


Follow Navioo On Twitter
mysqli_affected_rows
mysqli_autocommit
mysqli_bind_param
mysqli_bind_result
mysqli_change_user
mysqli_character_set_name
mysqli_client_encoding
mysqli_close
mysqli_commit
mysqli_connect_errno
mysqli_connect_error
mysqli_connect
mysqli_data_seek
mysqli_debug
mysqli_disable_reads_from_master
mysqli_disable_rpl_parse
mysqli_dump_debug_info
mysqli_embedded_server_end
mysqli_embedded_server_start
mysqli_enable_reads_from_master
mysqli_enable_rpl_parse
mysqli_errno
mysqli_error
mysqli_escape_string
mysqli_execute
mysqli_fetch_array
mysqli_fetch_assoc
mysqli_fetch_field_direct
mysqli_fetch_field
mysqli_fetch_fields
mysqli_fetch_lengths
mysqli_fetch_object
mysqli_fetch_row
mysqli_fetch
mysqli_field_count
mysqli_field_seek
mysqli_field_tell
mysqli_free_result
mysqli_get_charset
mysqli_get_client_info
mysqli_get_client_version
mysqli_get_host_info
mysqli_get_metadata
mysqli_get_proto_info
mysqli_get_server_info
mysqli_get_server_version
mysqli_get_warnings
mysqli_info
mysqli_init
mysqli_insert_id
mysqli_kill
mysqli_master_query
mysqli_more_results
mysqli_multi_query
mysqli_next_result
mysqli_num_fields
mysqli_num_rows
mysqli_options
mysqli_param_count
mysqli_ping
mysqli_prepare
mysqli_query
mysqli_real_connect
mysqli_real_escape_string
mysqli_real_query
mysqli_report
mysqli_rollback
mysqli_rpl_parse_enabled
mysqli_rpl_probe
mysqli_rpl_query_type
mysqli_select_db
mysqli_send_long_data
mysqli_send_query
mysqli_server_end
mysqli_server_init
mysqli_set_charset
mysqli_set_local_infile_default
mysqli_set_local_infile_handler
mysqli_set_opt
mysqli_slave_query
mysqli_sqlstate
mysqli_ssl_set
mysqli_stat
mysqli_stmt_affected_rows
mysqli_stmt_attr_get
mysqli_stmt_attr_set
mysqli_stmt_bind_param
mysqli_stmt_bind_result
mysqli_stmt_close
mysqli_stmt_data_seek
mysqli_stmt_errno
mysqli_stmt_error
mysqli_stmt_execute
mysqli_stmt_fetch
mysqli_stmt_field_count
mysqli_stmt_free_result
mysqli_stmt_get_warnings
mysqli_stmt_init
mysqli_stmt_insert_id
mysqli_stmt_num_rows
mysqli_stmt_param_count
mysqli_stmt_prepare
mysqli_stmt_reset
mysqli_stmt_result_metadata
mysqli_stmt_send_long_data
mysqli_stmt_sqlstate
mysqli_stmt_store_result
mysqli_store_result
mysqli_thread_id
mysqli_thread_safe
mysqli_use_result
mysqli_warning_count
eXTReMe Tracker