Class Schedule

PHP Basic Tutorial

• PHP Tutorial
• PHP Introduction
• PHP Installation
• PHP Syntax
• PHP Variables
• PHP Echo / Print
• PHP Data Types
• PHP String Functions
• PHP Constants
• PHP Operators
• PHP If...Else
• PHP Switch
• PHP While Loop
• PHP For Loop
• PHP Functions
• PHP Arrays
• PHP Array Sorting
• PHP Super Global

PHP Form

• PHP Form Processing
• PHP Form Validation
• PHP Required Form Field
• PHP Form URL/E-mail
• PHP Form Completion

PHP Advanced Tutorial

• PHP Multidimensional Arrays
• PHP Date
• PHP Include
• PHP File
• PHP File Open/Read
• PHP File Creation/Write
• PHP File Upload
• PHP Cookies
• PHP Sessions
• PHP E-mail
• PHP Secure E-mail
• PHP Error
• PHP Exception
• PHP Filter

PHP Database

• MySQL Introduction
• MySQL Connect
• MySQL Create
• MySQL Insert
• MySQL Select
• MySQL Where
• MySQL Order By
• MySQL Update
• MySQL Delete
• PHP ODBC

PHP XML

• XML Expat Parser
• XML DOM
• XML SimpleXML

PHP and AJAX

• AJAX Introduction
• XMLHttpRequest
• AJAX Suggest
• AJAX XML
• AJAX Database
• AJAX responseXML
• AJAX Live Search
• AJAX RSS Reader
• AJAX Poll

PHP Reference Manual

• PHP Array
• PHP Calendar
• PHP Date
• PHP Directory
• PHP Error
• PHP Filesystem
• PHP Filter
• PHP FTP
• PHP HTTP
• PHP LibXML
• PHP Mail
• PHP Math
• PHP MySQL
• PHP MySQLi
• PHP SimpleXML
• PHP String
• PHP XML
• PHP Zip
• PHP Miscellaneous
• PHP Time Zones

PHP Quizzes

• PHP Quizzes

Elective Courses

Course Recommendation:

• CodeW3C.com Treasure Box

Definition and Usage

The mysql_real_escape_string() function escapes special characters in the string used in SQL statements.

The following characters are affected:

• \x00
• \n
• \r
• \
• '
• "
• \x1a

If successful, the function returns the escaped string. If failed, it returns false.

Syntax

mysql_real_escape_string(string,connection)

Description

This function will string Escape special characters, and take into account the current character set of the connection, so it can be used safely for mysql_query().

Tips and comments

Tip:This function can be used to prevent database attacks.

Instance

Example 1

<?php
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
// Code to get the username and password
// Escape the username and password to use in SQL
$user = mysql_real_escape_string($user);
$pwd = mysql_real_escape_string($pwd);
$sql = "SELECT * FROM users WHERE
user='" . $user . "' AND password='" . $pwd . "'"
// More code
mysql_close($con);
?>

Example 2

Database attack. This example demonstrates what happens if we do not apply the mysql_real_escape_string() function to the username and password:

<?php
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
$sql = "SELECT * FROM users
WHERE user='{$_POST['user']}'
AND password='{$_POST['pwd']}'";
mysql_query($sql);
// No check on username and password
// It can be any content input by the user, like:
$_POST['user'] = 'john';
$_POST['pwd'] = "' OR ''='";
// Some code...
mysql_close($con);
?>

Then the SQL query will become like this:

SELECT * FROM users
WHERE user='john' AND password='' OR ''=''

This means that any user can log in without entering a valid password.

Example 3

Best Practices for Preventing Database Attacks:

<?php
function check_input($value)
{
// Remove slashes
if (get_magic_quotes_gpc())
  {
  $value = stripslashes($value);
  }
// If not a number, add quotes
if (!is_numeric($value))
  {
  $value = "'" . mysql_real_escape_string($value) . "'";
  }
return $value;
}
$con = mysql_connect("localhost", "hello", "321");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
// Perform secure SQL
$user = check_input($_POST['user']);
$pwd = check_input($_POST['pwd']);
$sql = "SELECT * FROM users WHERE
user=$user AND password=$pwd";
mysql_query($sql);
mysql_close($con);
?>

Toolbox

PHP Reference Manual

PHP Quizzes

Sponsor Links