Basic Tutorial : PHP mysql_real_escape_string() Function


Basic Tutorial : PHP mysql_real_escape_string() Function. mysql_real_escape_string () is a PHP function that is used to give the backslash in some php code to be displayed on webpage, but when storing and matching the data in mysql, the code will remain normal with no backslash.
Some codes is \ x00, \ n, \ r, \, ‘, ” and \ x1a. Unlike the addslashes() function and stripslashes() function are both associated with slash marks, and at the time of saving some code that will change, but not for mysql_real_escape_string() because it uses specialized in MySQL and including the safety.

Basic Tutorial : PHP mysql_real_escape_string() Function

Many developers are still not able to secure the CMS website from the hackers who are always eyeing the database, and the error is used to display the content directly using mysql_fetch without adding mysql_real_escape_string(). And called for a moment by adding quotation marks (‘) in the url variable looks error, so it can be processed by the hackers to find the username and password.

For example is login page, we need to find a suitable username and password in the database server with SELECT function. If the php script that we use for this process is very weak it will cause harm because a hacker can break into the admin page of the website damage.

To prevent SQL injection we can use the function mysql_real_escape_string () on each display rows from a database that doesn’t happen the things that are not desirable on the website. I can only explain a bit about this function and please learn php mysql_real_escape_string () function below …

If you’ve been reading posts on Tutorial : About SQL Injection And How To Fix. We will know how a hacker can perform SQL injection easily through Get method and Post method. To avoid this kind of thing, you need to add the mysql_real_escape_string() function in PHP and PHP Get Post function. So from the php script below …

Get method
$username = $_GET['username'];
$password = $_GET['password'];

Post method
$username = $_POST['username'];
$password = $_POST['password'];

Will be as follows :

Get method
$username = mysql_real_escape_string($_GET['username']);
$password = mysql_real_escape_string($_GET['password']);

Post method
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

The following is a complete example of using php mysql_real_escape_string() function to the calling of the MySQL database server using a php script.

$con = mysql_connect("localhost", "username", "password");
if (!$con)
  die('Could not connect: ' . mysql_error());

// some code to get username and password

// escape username and password for use in SQL
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

$sql = "SELECT * FROM users WHERE
user='" . $username . "' AND password='" . $password . "'"

// more code


Below is an example of using complex php mysql_real_escape_string () function :

function anti_injection($data){
$filter=mysql_real_escape_string(stripslashes(strip_tags(htmlspecialchars($ data,ENT_QUOTES))));
return $filter;
$username = anti_injection($_POST['username']);
$password = anti_injection(md5($_POST['password']));

if (!ctype_alnum($username) OR !ctype_alnum($password)){
echo "<secript lang=javascript>;window.alert('The $username you entered is incorrect'); history.back()<secript>";

In a previous post relating to calling MySQL as the post Create Emails Activation Form With PHP Script and PHP To Create Insert, Select, Update, Delete In MySQL Database Table. PHP scripts are used not protected because it was a good idea to use mysql_real_escape_string() or other php scripts that can protect your database server.
Thanks for reading Basic Tutorial : PHP mysql_real_escape_string() Function