PDF (US Ltr)
- 6.4Mb
PDF (A4)
- 6.4Mb
HTML Download (TGZ)
- 3.1Mb
HTML Download (Zip)
- 3.2Mb
Copyright 1997-2020 the PHP Documentation Group.
mysqli::real_escape_stringmysqli::escape_stringmysqli_real_escape_stringEscapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection
Description
Object oriented style
string mysqli::escape_string(string escapestr);string mysqli::real_escape_string(string escapestr);Procedural style
string mysqli_real_escape_string(mysqli link,
string escapestr);This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection.
Security: the default character set
The character set must be set either at the server level, or
with the API function
mysqli_set_charset
for it to affect
mysqli_real_escape_string.
See the concepts section on
character
sets for more information.
Parameters
-
link Procedural style only: A link identifier returned by
mysqli_connectormysqli_init-
escapestr The string to be escaped.
Characters encoded are
NUL (ASCII 0), \n, \r, \, ', ", and Control-Z.
Return Values
Returns an escaped string.
Errors/Exceptions
Executing this function without a valid MySQLi connection passed
in will return NULL and emit
E_WARNING level errors.
Examples
Example 7.71 mysqli::real_escape_string
example
Object oriented style
<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");
$city = "'s Hertogenbosch";
/* this query will fail, cause we didn't escape $city */
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
printf("Error: %s\n", $mysqli->sqlstate);
}
$city = $mysqli->real_escape_string($city);
/* this query with escaped $city will work */
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
printf("%d Row inserted.\n", $mysqli->affected_rows);
}
$mysqli->close();
?>Procedural style
<?php
$link = mysqli_connect("localhost", "my_user", "my_password", "world");
/* check connection */
if (mysqli_connect_errno()) {
printf("Connect failed: %s\n", mysqli_connect_error());
exit();
}
mysqli_query($link, "CREATE TEMPORARY TABLE myCity LIKE City");
$city = "'s Hertogenbosch";
/* this query will fail, cause we didn't escape $city */
if (!mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
printf("Error: %s\n", mysqli_sqlstate($link));
}
$city = mysqli_real_escape_string($link, $city);
/* this query with escaped $city will work */
if (mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
printf("%d Row inserted.\n", mysqli_affected_rows($link));
}
mysqli_close($link);
?>The above examples will output:
Error: 42000 1 Row inserted.
Notes
Note
For those accustomed to using
mysql_real_escape_string,
note that the arguments of
mysqli_real_escape_string
differ from what
mysql_real_escape_string
expects. The link identifier comes
first in
mysqli_real_escape_string,
whereas the string to be escaped comes first in
mysql_real_escape_string.
See Also
mysqli_set_charset
|
mysqli_character_set_name
|