<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>Escapes special characters in a string for use in an SQL statement</title>
</head>
<body><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="function.mysql-query.html">mysql_query</a></div>
<div class="next" style="text-align: right; float: right;"><a href="function.mysql-result.html">mysql_result</a></div>
<div class="up"><a href="ref.mysql.html">MySQL Functions</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div><hr /><div id="function.mysql-real-escape-string" class="refentry">
<div class="refnamediv">
<h1 class="refname">mysql_real_escape_string</h1>
<p class="verinfo">(PHP 4 >= 4.3.0, PHP 5)</p><p class="refpurpose"><span class="refname">mysql_real_escape_string</span> — <span class="dc-title">Escapes special characters in a string for use in an SQL statement</span></p>
</div>
<div id="function.mysql-real-escape-string-refsynopsisdiv">
<div class="warning"><strong class="warning">Warning</strong>
<p class="para">This extension is deprecated as of PHP 5.5.0, and will be removed in the future.
Instead, the <a href="book.mysqli.html" class="link">MySQLi</a> or <a href="ref.pdo-mysql.html" class="link">PDO_MySQL</a> extension should be used.
See also <a href="mysqlinfo.api.choosing.html" class="link">MySQL: choosing an API</a> guide and
<a href="faq.databases.html#faq.databases.mysql.deprecated" class="link">related FAQ</a> for more information.
Alternatives to this function include:</p>
<ul class="simplelist">
<li class="member"> <span class="function"><a href="mysqli.real-escape-string.html" class="function">mysqli_real_escape_string()</a></span></li>
<li class="member"> <span class="methodname"><a href="pdo.quote.html" class="methodname">PDO::quote()</a></span></li>
</ul>
</div>
</div>
<div class="refsect1 description" id="refsect1-function.mysql-real-escape-string-description">
<h3 class="title">Description</h3>
<div class="methodsynopsis dc-description">
<span class="type">string</span> <span class="methodname"><strong>mysql_real_escape_string</strong></span>
( <span class="methodparam"><span class="type">string</span> <code class="parameter">$unescaped_string</code></span>
[, <span class="methodparam"><span class="type">resource</span> <code class="parameter">$link_identifier</code><span class="initializer"> = NULL</span></span>
] )</div>
<p class="para rdfs-comment">
Escapes special characters in the <em><code class="parameter">unescaped_string</code></em>,
taking into account the current character set of the connection so that it
is safe to place it in a <span class="function"><a href="function.mysql-query.html" class="function">mysql_query()</a></span>. If binary data
is to be inserted, this function must be used.
</p>
<p class="para">
<span class="function"><strong>mysql_real_escape_string()</strong></span> calls MySQL's library function
mysql_real_escape_string, which prepends backslashes to the following characters:
<em>\x00</em>, <em>\n</em>,
<em>\r</em>, <em>\</em>, <em>'</em>,
<em>"</em> and <em>\x1a</em>.
</p>
<p class="para">
This function must always (with few exceptions) be used to make data
safe before sending a query to MySQL.
</p>
<div class="caution"><strong class="caution">Caution</strong>
<h1 class="title">Security: the default character set</h1>
<p class="para">
The character set must be set either at the server level, or with
the API function <span class="function"><a href="function.mysql-set-charset.html" class="function">mysql_set_charset()</a></span> for it to affect
<span class="function"><strong>mysql_real_escape_string()</strong></span>. See the concepts section
on <a href="mysqlinfo.concepts.charset.html" class="link">character sets</a> for
more information.
</p>
</div>
</div>
<div class="refsect1 parameters" id="refsect1-function.mysql-real-escape-string-parameters">
<h3 class="title">Parameters</h3>
<p class="para">
<dl>
<dt>
<span class="term"><em><code class="parameter">unescaped_string</code></em></span>
<dd>
<p class="para">
The string that is to be escaped.
</p>
</dd>
</dt>
<dt>
<span class="term"><em><code class="parameter">
link_identifier</code></em></span><dd>
<p class="para">The MySQL connection. If the
link identifier is not specified, the last link opened by
<span class="function"><a href="function.mysql-connect.html" class="function">mysql_connect()</a></span> is assumed. If no such link is found, it
will try to create one as if <span class="function"><a href="function.mysql-connect.html" class="function">mysql_connect()</a></span> was called
with no arguments. If no connection is found or established, an
<strong><code>E_WARNING</code></strong> level error is generated.</p></dd>
</dt>
</dl>
</p>
</div>
<div class="refsect1 returnvalues" id="refsect1-function.mysql-real-escape-string-returnvalues">
<h3 class="title">Return Values</h3>
<p class="para">
Returns the escaped string, or <strong><code>FALSE</code></strong> on error.
</p>
</div>
<div class="refsect1 examples" id="refsect1-function.mysql-real-escape-string-examples">
<h3 class="title">Examples</h3>
<p class="para">
<div class="example" id="example-1610">
<p><strong>Example #1 Simple <span class="function"><strong>mysql_real_escape_string()</strong></span> example</strong></p>
<div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB"><?php<br /></span><span style="color: #FF8000">// Connect<br /></span><span style="color: #0000BB">$link </span><span style="color: #007700">= </span><span style="color: #0000BB">mysql_connect</span><span style="color: #007700">(</span><span style="color: #DD0000">'mysql_host'</span><span style="color: #007700">, </span><span style="color: #DD0000">'mysql_user'</span><span style="color: #007700">, </span><span style="color: #DD0000">'mysql_password'</span><span style="color: #007700">)<br /> OR die(</span><span style="color: #0000BB">mysql_error</span><span style="color: #007700">());<br /><br /></span><span style="color: #FF8000">// Query<br /></span><span style="color: #0000BB">$query </span><span style="color: #007700">= </span><span style="color: #0000BB">sprintf</span><span style="color: #007700">(</span><span style="color: #DD0000">"SELECT * FROM users WHERE user='%s' AND password='%s'"</span><span style="color: #007700">,<br /> </span><span style="color: #0000BB">mysql_real_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$user</span><span style="color: #007700">),<br /> </span><span style="color: #0000BB">mysql_real_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$password</span><span style="color: #007700">));<br /></span><span style="color: #0000BB">?></span>
</span>
</code></div>
</div>
</div>
</p>
<p class="para">
<div class="example" id="example-1611">
<p><strong>Example #2 An example SQL Injection Attack</strong></p>
<div class="example-contents">
<div class="phpcode"><code><span style="color: #000000">
<span style="color: #0000BB"><?php<br /></span><span style="color: #FF8000">// We didn't check $_POST['password'], it could be anything the user wanted! For example:<br /></span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'username'</span><span style="color: #007700">] = </span><span style="color: #DD0000">'aidan'</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'password'</span><span style="color: #007700">] = </span><span style="color: #DD0000">"' OR ''='"</span><span style="color: #007700">;<br /><br /></span><span style="color: #FF8000">// Query database to check if there are any matching users<br /></span><span style="color: #0000BB">$query </span><span style="color: #007700">= </span><span style="color: #DD0000">"SELECT * FROM users WHERE user='</span><span style="color: #007700">{</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'username'</span><span style="color: #007700">]}</span><span style="color: #DD0000">' AND password='</span><span style="color: #007700">{</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'password'</span><span style="color: #007700">]}</span><span style="color: #DD0000">'"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">mysql_query</span><span style="color: #007700">(</span><span style="color: #0000BB">$query</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">// This means the query sent to MySQL would be:<br /></span><span style="color: #007700">echo </span><span style="color: #0000BB">$query</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">?></span>
</span>
</code></div>
</div>
<div class="example-contents"><p>
The query sent to MySQL:
</p></div>
<div class="example-contents screen">
<div class="cdata"><pre>
SELECT * FROM users WHERE user='aidan' AND password='' OR ''=''
</pre></div>
</div>
<div class="example-contents"><p>
This would allow anyone to log in without a valid password.
</p></div>
</div>
</p>
</div>
<div class="refsect1 notes" id="refsect1-function.mysql-real-escape-string-notes">
<h3 class="title">Notes</h3>
<blockquote class="note"><p><strong class="note">Note</strong>:
<p class="para">
A MySQL connection is required before using
<span class="function"><strong>mysql_real_escape_string()</strong></span> otherwise an error of
level <strong><code>E_WARNING</code></strong> is generated, and <strong><code>FALSE</code></strong> is
returned. If <em><code class="parameter">link_identifier</code></em> isn't defined, the
last MySQL connection is used.
</p>
</p></blockquote>
<blockquote class="note"><p><strong class="note">Note</strong>:
<p class="para">
If <a href="info.configuration.html#ini.magic-quotes-gpc" class="link">magic_quotes_gpc</a> is enabled,
first apply <span class="function"><a href="function.stripslashes.html" class="function">stripslashes()</a></span> to the data. Using this function
on data which has already been escaped will escape the data twice.
</p>
</p></blockquote>
<blockquote class="note"><p><strong class="note">Note</strong>:
<p class="para">
If this function is not used to escape data, the query is vulnerable to
<a href="security.database.sql-injection.html" class="link">SQL Injection Attacks</a>.
</p>
</p></blockquote>
<blockquote class="note"><p><strong class="note">Note</strong>:
<span class="simpara">
<span class="function"><strong>mysql_real_escape_string()</strong></span> does not escape
<em>%</em> and <em>_</em>. These are wildcards in
MySQL if combined with <em>LIKE</em>, <em>GRANT</em>,
or <em>REVOKE</em>.
</span>
</p></blockquote>
</div>
<div class="refsect1 seealso" id="refsect1-function.mysql-real-escape-string-seealso">
<h3 class="title">See Also</h3>
<p class="para">
<ul class="simplelist">
<li class="member"> <span class="function"><a href="function.mysql-set-charset.html" class="function" rel="rdfs-seeAlso">mysql_set_charset()</a> - Sets the client character set</span></li>
<li class="member"> <span class="function"><a href="function.mysql-client-encoding.html" class="function" rel="rdfs-seeAlso">mysql_client_encoding()</a> - Returns the name of the character set</span></li>
<li class="member"> <span class="function"><a href="function.addslashes.html" class="function" rel="rdfs-seeAlso">addslashes()</a> - Quote string with slashes</span></li>
<li class="member"> <span class="function"><a href="function.stripslashes.html" class="function" rel="rdfs-seeAlso">stripslashes()</a> - Un-quotes a quoted string</span></li>
<li class="member">The <a href="info.configuration.html#ini.magic-quotes-gpc" class="link">magic_quotes_gpc</a> directive</li>
<li class="member">The <a href="info.configuration.html#ini.magic-quotes-runtime" class="link">magic_quotes_runtime</a> directive</li>
</ul>
</p>
</div>
</div><hr /><div class="manualnavbar" style="text-align: center;">
<div class="prev" style="text-align: left; float: left;"><a href="function.mysql-query.html">mysql_query</a></div>
<div class="next" style="text-align: right; float: right;"><a href="function.mysql-result.html">mysql_result</a></div>
<div class="up"><a href="ref.mysql.html">MySQL Functions</a></div>
<div class="home"><a href="index.html">PHP Manual</a></div>
</div></body></html>
