w3resource

PHP mysqli: real_escape_string() function

mysqli_real_escape_string() function / mysqli::real_escape_string

The mysqli_real_escape_string() function / mysqli::real_escape_string escapes special characters in a string for use in an SQL statement.

Syntax:

Object oriented style

string mysqli::escape_string ( string $escapestr )

string mysqli::real_escape_string ( string $escapestr )

Procedural style

string mysqli_real_escape_string ( mysqli $link , string $escapestr )

Parameter:

Name Description Required/Optional
link A link identifier returned by mysqli_connect() or mysqli_init() Required for procedural style only and Optional for Object oriented style
escapestr The string to be escaped.
Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z.		 Required

Usage: Procedural style

mysqli_real_escape_string(connection,escapestring);

Parameter:

Name Description Required/Optional
connection Specifies the MySQL connection to use Required
escapestring The string to be escaped. Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z. Required

Return value:

Returns an escaped string.

Version: PHP 5, PHP 7

Example of object oriented style:

<?php
$mysqli = new mysqli("localhost", "user1", "datasoft123", "hr");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");

$city = "Kalkata";

/* this query will fail, cause we didn't escape $city */
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    printf("Error: %s\n", $mysqli->sqlstate);
}

$city = $mysqli->real_escape_string($city);

/* this query with escaped $city will work */
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    printf("%d Row inserted.\n", $mysqli->affected_rows);
}

$mysqli->close();
?>

Example of procedural style:

<?php
$link = mysqli_connect("localhost", "user1", "datasoft123", "hr");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

mysqli_query($link, "CREATE TEMPORARY TABLE myCity LIKE City");

$city = "Kalkata";

/* this query will fail, cause we didn't escape $city */
if (!mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
    printf("Error: %s\n", mysqli_sqlstate($link));
}

$city = mysqli_real_escape_string($link, $city);

/* this query with escaped $city will work */
if (mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
    printf("%d Row inserted.\n", mysqli_affected_rows($link));
}

mysqli_close($link);
?>

Output:

Error: 42000
1 Row inserted.

See also

PHP Function Reference

Previous: real_connect
Next: real_query



Become a Patron!

Follow us on Facebook and Twitter for latest update.

It will be nice if you may share this link in any developer community or anywhere else, from where other developers may find this content. Thanks.

https://w3resource.com/php/function-reference/mysqli_real_escape_string.php