<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="content-type" content="text/html; charset=UTF-8"> <title>Escapes special characters in a string for use in an SQL statement</title> </head> <body><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.mysql-query.html">mysql_query</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.mysql-result.html">mysql_result</a></div> <div class="up"><a href="ref.mysql.html">MySQL Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div><hr /><div id="function.mysql-real-escape-string" class="refentry"> <div class="refnamediv"> <h1 class="refname">mysql_real_escape_string</h1> <p class="verinfo">(PHP 4 >= 4.3.0, PHP 5)</p><p class="refpurpose"><span class="refname">mysql_real_escape_string</span> — <span class="dc-title">Escapes special characters in a string for use in an SQL statement</span></p> </div> <div id="function.mysql-real-escape-string-refsynopsisdiv"> <div class="warning"><strong class="warning">Warning</strong> <p class="para">This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the <a href="book.mysqli.html" class="link">MySQLi</a> or <a href="ref.pdo-mysql.html" class="link">PDO_MySQL</a> extension should be used. See also <a href="mysqlinfo.api.choosing.html" class="link">MySQL: choosing an API</a> guide and <a href="faq.databases.html#faq.databases.mysql.deprecated" class="link">related FAQ</a> for more information. Alternatives to this function include:</p> <ul class="simplelist"> <li class="member"> <span class="function"><a href="mysqli.real-escape-string.html" class="function">mysqli_real_escape_string()</a></span></li> <li class="member"> <span class="methodname"><a href="pdo.quote.html" class="methodname">PDO::quote()</a></span></li> </ul> </div> </div> <div class="refsect1 description" id="refsect1-function.mysql-real-escape-string-description"> <h3 class="title">Description</h3> <div class="methodsynopsis dc-description"> <span class="type">string</span> <span class="methodname"><strong>mysql_real_escape_string</strong></span> ( <span class="methodparam"><span class="type">string</span> <code class="parameter">$unescaped_string</code></span> [, <span class="methodparam"><span class="type">resource</span> <code class="parameter">$link_identifier</code><span class="initializer"> = NULL</span></span> ] )</div> <p class="para rdfs-comment"> Escapes special characters in the <em><code class="parameter">unescaped_string</code></em>, taking into account the current character set of the connection so that it is safe to place it in a <span class="function"><a href="function.mysql-query.html" class="function">mysql_query()</a></span>. If binary data is to be inserted, this function must be used. </p> <p class="para"> <span class="function"><strong>mysql_real_escape_string()</strong></span> calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: <em>\x00</em>, <em>\n</em>, <em>\r</em>, <em>\</em>, <em>'</em>, <em>"</em> and <em>\x1a</em>. </p> <p class="para"> This function must always (with few exceptions) be used to make data safe before sending a query to MySQL. </p> <div class="caution"><strong class="caution">Caution</strong> <h1 class="title">Security: the default character set</h1> <p class="para"> The character set must be set either at the server level, or with the API function <span class="function"><a href="function.mysql-set-charset.html" class="function">mysql_set_charset()</a></span> for it to affect <span class="function"><strong>mysql_real_escape_string()</strong></span>. See the concepts section on <a href="mysqlinfo.concepts.charset.html" class="link">character sets</a> for more information. </p> </div> </div> <div class="refsect1 parameters" id="refsect1-function.mysql-real-escape-string-parameters"> <h3 class="title">Parameters</h3> <p class="para"> <dl> <dt> <span class="term"><em><code class="parameter">unescaped_string</code></em></span> <dd> <p class="para"> The string that is to be escaped. </p> </dd> </dt> <dt> <span class="term"><em><code class="parameter"> link_identifier</code></em></span><dd> <p class="para">The MySQL connection. If the link identifier is not specified, the last link opened by <span class="function"><a href="function.mysql-connect.html" class="function">mysql_connect()</a></span> is assumed. If no such link is found, it will try to create one as if <span class="function"><a href="function.mysql-connect.html" class="function">mysql_connect()</a></span> was called with no arguments. If no connection is found or established, an <strong><code>E_WARNING</code></strong> level error is generated.</p></dd> </dt> </dl> </p> </div> <div class="refsect1 returnvalues" id="refsect1-function.mysql-real-escape-string-returnvalues"> <h3 class="title">Return Values</h3> <p class="para"> Returns the escaped string, or <strong><code>FALSE</code></strong> on error. </p> </div> <div class="refsect1 examples" id="refsect1-function.mysql-real-escape-string-examples"> <h3 class="title">Examples</h3> <p class="para"> <div class="example" id="example-1610"> <p><strong>Example #1 Simple <span class="function"><strong>mysql_real_escape_string()</strong></span> example</strong></p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br /></span><span style="color: #FF8000">// Connect<br /></span><span style="color: #0000BB">$link </span><span style="color: #007700">= </span><span style="color: #0000BB">mysql_connect</span><span style="color: #007700">(</span><span style="color: #DD0000">'mysql_host'</span><span style="color: #007700">, </span><span style="color: #DD0000">'mysql_user'</span><span style="color: #007700">, </span><span style="color: #DD0000">'mysql_password'</span><span style="color: #007700">)<br /> OR die(</span><span style="color: #0000BB">mysql_error</span><span style="color: #007700">());<br /><br /></span><span style="color: #FF8000">// Query<br /></span><span style="color: #0000BB">$query </span><span style="color: #007700">= </span><span style="color: #0000BB">sprintf</span><span style="color: #007700">(</span><span style="color: #DD0000">"SELECT * FROM users WHERE user='%s' AND password='%s'"</span><span style="color: #007700">,<br /> </span><span style="color: #0000BB">mysql_real_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$user</span><span style="color: #007700">),<br /> </span><span style="color: #0000BB">mysql_real_escape_string</span><span style="color: #007700">(</span><span style="color: #0000BB">$password</span><span style="color: #007700">));<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> </div> </p> <p class="para"> <div class="example" id="example-1611"> <p><strong>Example #2 An example SQL Injection Attack</strong></p> <div class="example-contents"> <div class="phpcode"><code><span style="color: #000000"> <span style="color: #0000BB"><?php<br /></span><span style="color: #FF8000">// We didn't check $_POST['password'], it could be anything the user wanted! For example:<br /></span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'username'</span><span style="color: #007700">] = </span><span style="color: #DD0000">'aidan'</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'password'</span><span style="color: #007700">] = </span><span style="color: #DD0000">"' OR ''='"</span><span style="color: #007700">;<br /><br /></span><span style="color: #FF8000">// Query database to check if there are any matching users<br /></span><span style="color: #0000BB">$query </span><span style="color: #007700">= </span><span style="color: #DD0000">"SELECT * FROM users WHERE user='</span><span style="color: #007700">{</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'username'</span><span style="color: #007700">]}</span><span style="color: #DD0000">' AND password='</span><span style="color: #007700">{</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'password'</span><span style="color: #007700">]}</span><span style="color: #DD0000">'"</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">mysql_query</span><span style="color: #007700">(</span><span style="color: #0000BB">$query</span><span style="color: #007700">);<br /><br /></span><span style="color: #FF8000">// This means the query sent to MySQL would be:<br /></span><span style="color: #007700">echo </span><span style="color: #0000BB">$query</span><span style="color: #007700">;<br /></span><span style="color: #0000BB">?></span> </span> </code></div> </div> <div class="example-contents"><p> The query sent to MySQL: </p></div> <div class="example-contents screen"> <div class="cdata"><pre> SELECT * FROM users WHERE user='aidan' AND password='' OR ''='' </pre></div> </div> <div class="example-contents"><p> This would allow anyone to log in without a valid password. </p></div> </div> </p> </div> <div class="refsect1 notes" id="refsect1-function.mysql-real-escape-string-notes"> <h3 class="title">Notes</h3> <blockquote class="note"><p><strong class="note">Note</strong>: <p class="para"> A MySQL connection is required before using <span class="function"><strong>mysql_real_escape_string()</strong></span> otherwise an error of level <strong><code>E_WARNING</code></strong> is generated, and <strong><code>FALSE</code></strong> is returned. If <em><code class="parameter">link_identifier</code></em> isn't defined, the last MySQL connection is used. </p> </p></blockquote> <blockquote class="note"><p><strong class="note">Note</strong>: <p class="para"> If <a href="info.configuration.html#ini.magic-quotes-gpc" class="link">magic_quotes_gpc</a> is enabled, first apply <span class="function"><a href="function.stripslashes.html" class="function">stripslashes()</a></span> to the data. Using this function on data which has already been escaped will escape the data twice. </p> </p></blockquote> <blockquote class="note"><p><strong class="note">Note</strong>: <p class="para"> If this function is not used to escape data, the query is vulnerable to <a href="security.database.sql-injection.html" class="link">SQL Injection Attacks</a>. </p> </p></blockquote> <blockquote class="note"><p><strong class="note">Note</strong>: <span class="simpara"> <span class="function"><strong>mysql_real_escape_string()</strong></span> does not escape <em>%</em> and <em>_</em>. These are wildcards in MySQL if combined with <em>LIKE</em>, <em>GRANT</em>, or <em>REVOKE</em>. </span> </p></blockquote> </div> <div class="refsect1 seealso" id="refsect1-function.mysql-real-escape-string-seealso"> <h3 class="title">See Also</h3> <p class="para"> <ul class="simplelist"> <li class="member"> <span class="function"><a href="function.mysql-set-charset.html" class="function" rel="rdfs-seeAlso">mysql_set_charset()</a> - Sets the client character set</span></li> <li class="member"> <span class="function"><a href="function.mysql-client-encoding.html" class="function" rel="rdfs-seeAlso">mysql_client_encoding()</a> - Returns the name of the character set</span></li> <li class="member"> <span class="function"><a href="function.addslashes.html" class="function" rel="rdfs-seeAlso">addslashes()</a> - Quote string with slashes</span></li> <li class="member"> <span class="function"><a href="function.stripslashes.html" class="function" rel="rdfs-seeAlso">stripslashes()</a> - Un-quotes a quoted string</span></li> <li class="member">The <a href="info.configuration.html#ini.magic-quotes-gpc" class="link">magic_quotes_gpc</a> directive</li> <li class="member">The <a href="info.configuration.html#ini.magic-quotes-runtime" class="link">magic_quotes_runtime</a> directive</li> </ul> </p> </div> </div><hr /><div class="manualnavbar" style="text-align: center;"> <div class="prev" style="text-align: left; float: left;"><a href="function.mysql-query.html">mysql_query</a></div> <div class="next" style="text-align: right; float: right;"><a href="function.mysql-result.html">mysql_result</a></div> <div class="up"><a href="ref.mysql.html">MySQL Functions</a></div> <div class="home"><a href="index.html">PHP Manual</a></div> </div></body></html>