Definition and Usage
The mysql_real_escape_string() function escapes special characters in strings used in SQL statements.
The following characters are affected:
x00
n
r
'
"
x1a
If successful, the function returns the escaped string. If failed, returns false.
Grammar
mysql_real_escape_string(string,connection)
Parameter Description
string required. Specifies the string to be escaped.
connection is optional. Specifies the MySQL connection. If not specified, the previous connection is used.
Description
This function escapes special characters in a string, taking into account the connection's current character set, and is therefore safe to use with mysql_query().
Tips and Notes
Tip: You can use this function to prevent database attacks.
Example
Example 1
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
// Code to get username and password
// Escape username and password for use in SQL
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);
$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"
// More code
mysql_close($con);
?>
Example 2
Database attacks. This example shows what happens if we don't apply the mysql_real_escape_string() function to the username and password:
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
$sql = "SELECT * FROM users
WHERE user='{$_POST['user']}'
AND password='{$_POST['pwd']}'";
mysql_query($sql);
// Do not check username and password // Can be anything entered by the user, such as:
$_POST['user'] = 'john';
$_POST['pwd'] = "' OR ''='";
// Some code...
mysql_close($con);
?>
Then the SQL query will look like this:
SELECT * FROM users
WHERE user='john' AND password='' OR ''=''
This means that any user can log in without entering a valid password.
Example 3
Correct practices to prevent database attacks:
function check_input($value)
{
// Remove slashes
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// If it is not a number, add quotes
if (!is_numeric($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
// Make secure SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = "SELECT * FROM users WHERE
user=$user AND password=$pwd";
mysql_query($sql);
mysql_close($con);
?>
Author "Other Shore"