- PHP Basics
- Learn PHP
- PHP Comments
- PHP Data Types
- PHP Variables
- PHP Operators
- PHP echo
- PHP print
- PHP echo vs. print
- PHP if else
- PHP switch
- PHP for Loop
- PHP while Loop
- PHP do...while Loop
- PHP foreach Loop
- PHP break and continue
- PHP Arrays
- PHP print_r()
- PHP unset()
- PHP Strings
- PHP Functions
- PHP File Handling
- PHP File Handling
- PHP Open File
- PHP Create a File
- PHP Write to File
- PHP Read File
- PHP feof()
- PHP fgetc()
- PHP fgets()
- PHP Close File
- PHP Delete File
- PHP Append to File
- PHP Copy File
- PHP file_get_contents()
- PHP file_put_contents()
- PHP file_exists()
- PHP filesize()
- PHP Rename File
- PHP fseek()
- PHP ftell()
- PHP rewind()
- PHP disk_free_space()
- PHP disk_total_space()
- PHP Create Directory
- PHP Remove Directory
- PHP Get Files/Directories
- PHP Get filename
- PHP Get Path
- PHP filemtime()
- PHP file()
- PHP include()
- PHP require()
- PHP include() vs. require()
- PHP and MySQLi
- PHP and MySQLi
- PHP MySQLi Setup
- PHP MySQLi Create DB
- PHP MySQLi Create Table
- PHP MySQLi Connect to DB
- PHP MySQLi Insert Record
- PHP MySQLi Update Record
- PHP MySQLi Fetch Record
- PHP MySQLi Delete Record
- PHP MySQLi SignUp Page
- PHP MySQLi LogIn Page
- PHP MySQLi Store User Data
- PHP MySQLi Close Connection
- PHP Misc Topics
- PHP Object Oriented
- PHP new Keyword
- PHP Cookies
- PHP Sessions
- PHP Date and Time
- PHP GET vs. POST
- PHP File Upload
- PHP Image Processing
PHP real_escape_string() and mysqli_real_escape_string()
This article is created to cover the two functions of PHP, that are:
- real_escape_string()
- mysqli_real_escape_string()
Both the functions are used when we need to escape special characters from a string. The only difference is, the real_escape_string() is used with PHP MySQLi object-oriented script, whereas the mysqli_real_escape_string() is used with PHP MySQLi procedural script.
PHP real_escape_string()
The PHP real_escape_string() function is used to escape special character from specified string in object-oriented style. For example:
<?php
$server = "localhost";
$user = "root";
$pass = "";
$db = "fresherearth";
$conn = new mysqli($server, $user, $pass, $db);
if($conn->connect_errno)
{
echo "Database connection failed!<BR>";
echo "Reason: ", $conn->connect_error;
exit();
}
$username = $conn->real_escape_string($_POST['user']);
$fullname = $conn->real_escape_string($_POST['name']);
$email = $conn->real_escape_string($_POST['email']);
$sql = "INSERT INTO `user`(`username`, `fullname`, `email`)
VALUES ('$username', '$fullname', '$email')";
$qry = $conn->query($sql);
if($qry)
{
echo "Data inserted successfully.";
// block of code, to process further...
}
else
{
echo "Something went wrong!<BR>";
echo "Error Description: ", $conn->error;
}
$conn->close();
?>
In above example, the following code/statement:
$username = $conn->real_escape_string($_POST['user']);
is used to escape special characters (if any) from the data received by the form field whose name is user. Similar thing goes with next two statements of real_escape_string(). In this way, all the special characters gets escaped (if any) before sending/inserting the data into the database.
The above example can also be written as:
<?php
$conn = mysqli_connect("localhost", "root", "", "fresherearth");
if(!$conn->connect_errno)
{
$username = $conn->real_escape_string($_POST['user']);
$fullname = $conn->real_escape_string($_POST['name']);
$email = $conn->real_escape_string($_POST['email']);
$sql = "INSERT INTO `user`(`username`, `fullname`, `email`)
VALUES ('$username', '$fullname', '$email')";
if($conn->query($sql))
{
echo "Data inserted successfully.";
// block of code, to process further...
}
}
$conn->close();
?>
Note - The mysqli() is used to open a connection to the MySQL database server, in object-oriented style.
Note - The new keyword is used to create a new object.
Note - The connect_errno is used to get/return the error code (if any) from last connect call, in object-oriented style.
Note - The connect_error is used to get the error description (if any) from last connection, in object-oriented style.
Note - The exit() is used to terminate the execution of the current PHP script.
Note - The query() is used to perform query on the MySQL database, in object-oriented style.
Note - The error is used to return the description of error (if any), by the most recent function call, in object-oriented style.
Note - The close() is used to close an opened connection, in object-oriented style.
PHP real_escape_string() Syntax
The syntax of real_escape_string() function in PHP, is:
connectionVariable -> real_escape_string(string)
PHP mysqli_real_escape_string()
The PHP mysqli_real_escape_string() function escapes special characters from specified string data in procedural style. For example:
<?php
$conn = mysqli_connect("localhost", "root", "", "fresherearth");
if(!mysqli_connect_errno())
{
$username = mysqli_real_escape_string($conn, $_POST['user']);
$fullname = mysqli_real_escape_string($conn, $_POST['name']);
$email = mysqli_real_escape_string($conn, $_POST['email']);
$sql = "INSERT INTO `user`(`username`, `fullname`, `email`)
VALUES ('$username', '$fullname', '$email')";
if(mysqli_query($conn, $sql))
{
echo "Data inserted successfully.";
// block of code, to process further
}
}
mysqli_close($conn);
?>
Note - The mysqli_connect() is used to open a connection to the MySQL database server, in procedural style.
Note - The mysqli_connect_errno() is used to get/return the error code (if any) from last connect call, in procedural style.
Note - The mysqli_query() is used to perform query on the MySQL database, in procedural style.
Note - The mysqli_close() is used to close an opened connection to the MySQL database, in procedural style.
PHP mysqli_real_escape_string() Syntax
The syntax of mysqli_real_escape_string() function in PHP, is:
mysqli_real_escape_string(connectionVariable, string)
« Previous Tutorial Next Tutorial »