English | 简体中文 | 繁體中文 | Русский язык | Français | Español | Português | Deutsch | 日本語 | 한국어 | Italiano | بالعربية
The mysqli_real_escape_string() function escapes special characters in SQL statements based on the character set of the current connection.
mysqli_real_escape_string()This function is used to escape special characters in a string to make it a valid SQL statement. The input string will be escaped according to the character set of the current connection, resulting in a legally encoded SQL statement.
mysqli_real_escape_string($con, $str)
| Serial Number | Parameters and Description |
|---|---|
| 1 | con (Required) This is an object representing the connection to the MySQL Server. |
| 2 | str (Required) This is a string in which you need to escape special characters. |
mysqli_real_escape_string()Returns a valid string that can be used in an SQL query, which is the escaped string.
Calling this function on an invalid connection will return NULL and emit a E_WARNING level error.
This function was initially introduced in PHP version5introduced and can be used in all higher versions.
The following examples demonstratemysqli_real_escape_string()Function Usage (Procedural Style)-
//Establishing connection
$con = mysqli_connect("localhost", "root", "password", "mydb");
//Create table
mysqli_query($con, "CREATE TABLE my_team(Name VARCHAR(255), Country VARCHAR(255);
$player = "S'Dhawan";
$country = "India";
//Insert record
$res = mysqli_query($con, "INSERT into my_team VALUES ('$player', '$country')");
if (!$res){
print("Error occurred");
}
print("Record inserted successfully");
}
print("\n");
$player = mysqli_real_escape_string($con, $player);
$country = mysqli_real_escape_string($con, $country);
//Insert record
$res = mysqli_query($con, "INSERT into my_team VALUES ('$player', '$country')");
if (!$res){
print("Error occurred");
}
print("Record inserted successfully");
}
//Close connection
mysqli_close($con);
?>Output result
Error occurred Record inserted successfully
In object-oriented style, the syntax of this function is$con->real_escape_string();.The following are examples of functions in object-oriented style;
<?php
//Connected to database
$con = new mysqli("localhost", "root", "password", "test");
//Create table
$con->query("CREATE TABLE my_team(Name VARCHAR(255), Country VARCHAR(255);
$player = "S'Dhawan";
$country = "India";
//Insert record
$res = $con->query("INSERT into my_team VALUES ('$player')");
if (!$res){
print("Error occurred");
}
print("Record inserted successfully");
}
print("\n");
$player = $con->real_escape_string($player);
//Insert record
$res = $con->query("INSERT into my_team (Name) VALUES ('$player')");
if (!$res){
print("Error occurred");
}
print("Record inserted successfully");
}
//Close connection
mysqli_close($con);
?>Output result
Error occurred Record inserted successfully
Escape special characters, single quotes, in a string:
<?php
$con = mysqli_connect("localhost","root","password","mydb");
if (mysqli_connect_errno($con)){
echo "Connection to MySQL failed: " . mysqli_connect_error();
}
$myName = "Jr's";
$myName = mysqli_real_escape_string($con,$myName);
mysqli_query($con,"INSERT into emp (name) VALUES ('$myName')");
mysqli_close($con);