Home > Backend Development > PHP Problem > How to use mysqli_real_escape_string() function in PHP?

How to use mysqli_real_escape_string() function in PHP?

醉折花枝作酒筹
Release: 2023-03-10 11:18:01
forward
4062 people have browsed it

This article will introduce to you how to use the mysqli_real_escape_string() function in PHP. It has certain reference value. Friends in need can refer to it. I hope it will be helpful to everyone.

How to use mysqli_real_escape_string() function in PHP?

mysqli_real_escape_string() function is a built-in function in PHP that is used to escape all special characters for use in SQL queries. Use this before inserting the string into the database as it removes any special characters that may interfere with the query operation.

When using simple strings, they may contain special characters such as backslashes and apostrophes (especially if they are fetching data directly from a form where such data was entered). These are considered part of the query string and interfere with its proper functioning.

<?php
  
$connection = mysqli_connect(
     "localhost" , "root" , "" , "Persons" ); 
         
// Check connection 
if (mysqli_connect_errno()) { 
     echo "Database connection failed." ; 
} 
   
$firstname = "Robert&#39;O" ;
$lastname = "O&#39;Connell" ;
   
$sql ="INSERT INTO Persons (FirstName, LastName) 
             VALUES ( &#39;$firstname&#39; , &#39;$lastname&#39; )";
   
   
if (mysqli_query( $connection , $sql )) {
      
     // Print the number of rows inserted in
     // the table, if insertion is successful
     printf( "%d row inserted.n" , $mysqli ->affected_rows);
}
else {
      
     // Query fails because the apostrophe in 
     // the string interferes with the query
     printf( "An error occurred!" );
}
   
?>
Copy after login

In the above code, the query fails because the apostrophe is considered part of the query when performed using mysqli_query(). The solution is to use mysqli_real_escape_string() before using the string in the query.

<?php
   
$connection = mysqli_connect(
         "localhost" , "root" , "" , "Persons" ); 
  
// Check connection 
if (mysqli_connect_errno()) { 
     echo "Database connection failed." ; 
} 
       
$firstname = "Robert&#39;O" ;
$lastname = "O&#39;Connell" ;
   
// Remove the special characters from the
// string using mysqli_real_escape_string
   
$lastname_escape = mysqli_real_escape_string(
                     $connection , $lastname );
                      
$firstname_escape = mysqli_real_escape_string(
                     $connection , $firstname );
   
$sql ="INSERT INTO Persons (FirstName, LastName)
             VALUES ( &#39;$firstname&#39; , &#39;$lastname&#39; )";
  
if (mysqli_query( $connection , $sql )) {
      
     // Print the number of rows inserted in
     // the table, if insertion is successful
     printf( "%d row inserted.n" , $mysqli ->affected_rows);
}
   
?>
Copy after login

The output is as follows:

1 row inserted.
Copy after login

The above is the detailed content of How to use mysqli_real_escape_string() function in PHP?. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:segmentfault.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template