In this article you are going to learn the mysql_real_escape_string() function in php. Well, as the name suggests, this function is used to escape the special characters representing a string before using the mysql_query() function to interact with the MySQL database of the system.
The main motive behind the use of mysql_real_escape_string() function in php is to prevent SQL injections, an illegitimate code injection technique which is used to retrieve the sensible information of users from the database.
The intimate details saved in the MySQL database of several websites and web applications that have less secured RDBMS(Relational Database Management System) is prone to the attackers or illicit users. They might get all the secret information stored in the database through SQL injection such as username, passwords etc of the employees working in an organisation or the users that are registered with online portals.
In order to make the data safe and protected from malicious activities by illicit users, a programmer uses the function mysql_real_escape_string() before interacting with the database through MySQL queries.
SYNTAX
mysql_real_escape_string($special_character, $link_locator)
Two parameters that are essentially used in this function are discussed below.
- $special_character- this parameter represents the string(special character) to be escaped.
- $link_locator- this parameter represents a valid MySQL connection. If link locator is not defined in the function, the last MySQL connection will be assumed. And if it fails to connect to the MySQL server, it will show an error which we will discuss later in this article.
RESULT/ RETURN VALUE
The successful execution of this function will return the escaped character which represents a string. And, it will return False if the program execution fails. This may be due to the failure in connection with the server.
ERRORS THAT OCCUR USING MYSQL_REAL_ESCAPE_STRING() FUNCTION IN PHP
There are no such influencing errors. However, you must establish a valid MySQL connection to the server in the beginning of writing a php script. This is done by using mysql_connect() function. Not doing so will result in generation of an E_WARNING message and the program will not get executed i.e, False is returned.
EXAMPLE
We have shown below an example of mysql_real_escape_string() function to escape characters to prevent the database from SQL injection.
Output : You will get the following output after running the above php script. Here, we have used ‘w3training school’ as the string to be escaped and is stored in the variable $lastname. This variable is now declared inside mysql_real_escape_string() function and the new value is stored in the variable $_lastname. After performing all this, we have applied the query in order to interact with the database.
Above, you have learned how to use the mysql_real_escape_string() function and the benefit it provides while interacting with the database of the system i.e, prevention from SQL injections by malicious users. Hope you liked this article. For further updates, stay tuned to our php blogs.