AOW >> My Sql Real Escape Sting

My Sql Real Escape Sting

PHP Function mysqli_real_escape_string()

mysqli _real_escape_string() is  a function that is use for escape the special characters from the string or the statement like ” ‘ ” < > / \ | ( )  !  %  ^  _ –  . , “, It is a way to prevent injections and characters that have special meaning in sql.

When creating a database and the values are not passed to the function mysqli _real_escape_string(),  it is very dangerous because irrelevant user can easily access the data or database of website, and the hackers can easily hack and perform sql injection attacks on website. They can easily insert sql statements for execution through fields and temper with existing data in database.

Santax: mysqli _real_escape_string(‘Value, character, string comes here’);

The main purpose of mysqli _real_escape_string() is to make the website secure and prevent the database(sql) from injections. Once the values, characters or strings are passed through the the mysqli _real_escape_string() it will secure and not possible to inject.

$name = 'Brwebsolution'; // string
$company = ''; // string
mysqli_real_escape_string($name); //passing value through mysqli_real_escape_string();
mysqli_real_escape_string($company);  //passing value through mysqli_real_escape_string();

In above code two strings are taken ‘Brwebsolution’ and the other ‘’ both strings are stored in separate variable for first string variable is  $name and for second string variable is $company, then the variables in which strings are stored passed through the mysqli _real_escape_string()  function separately, which makes the database secure from the injections.

PHP Code Example

$name = $_POST['your_name'];
"Insert into `information` (`name`) values('".mysqli_real_escape_string($name)."')";
<form method="post" action="#">
<input type="text" name="your_name" placeholder="name"/>
<input type="submit" name="submit" value="Insert"/>

In about example the data is inserted in database through text field by using post method and the data is passed through mysqli _real_escape_string() by using proper sql insertion query which is

"Insert into `information` (`name`) values('".mysqli_real_escape_string($name)."')";

If we insert special character in database through text flied they will also insert in our table because we use the mysqli _real_escape_string() function.

Same procedure while Selecting the data from database pass the value through the mysqli _real_escape_string() function.

"Select * from `information` where name='".mysql_real_escape_string($name)."'";

Same procedure while Updating the data from database pass the value through the mysqli _real_escape_string() function.

"UPDATE `information` SET `name`='".mysql_real_escape_string($name)."' WHERE `id`='".mysql_real_escape_string('1')."'";


Please follow and like us:

Leave a Reply

Your email address will not be published. Required fields are marked *