mysqli_real_escape_string()
The mysqli_real_escape_string() function is a part of the MySQLi ("MySQL Improved") extension in PHP. This function is used to escape special characters in a string for use in an SQL query, considering the current character set of the connection.
The primary purpose of this function is to prevent SQL injection attacks, which can occur when unescaped special characters in SQL statements are interpreted as command parts.
It escapes certain characters like single quotes ('
), double quotes ("
), backslash (\
), and NULL (the NULL byte), among others. This is important because these characters can be used maliciously in SQL commands by attackers.
The function is aware of the character set used by the MySQL connection, ensuring that the escaping is done correctly according to the specific encoding. To use this function, you first need to establish a connection to a MySQL database using MySQLi. The mysqli_real_escape_string() function then takes two arguments: the MySQLi database connection and the string to be escaped.
An example is:
$connection = mysqli_connect("localhost", "username", "password", "database");
$unsafe_variable = $_POST['user_input'];
$safe_variable = mysqli_real_escape_string($connection, $unsafe_variable);
$sql = "SELECT * FROM table WHERE column = '$safe_variable'";