PHP | mysqli_real_escape_string() Function

PHP mysqli_real_escape_string() Function


Hello folks! welcome back to a new edition of our tutorial on PHP. In this tutorial guide, we are going to be studying about the PHP mysqli_real_escape_string() Function.

The mysqli_real_escape_string() function is used to escape characters in a string, thus making it legal to use in an SQL statement.

Syntax

Following below is the syntax to use this function -

mysqli_real_escape_string($con, $str)


Parameter Details

Sr.NoParameter & Description
1

con(Mandatory)

This is an object representing a connection to MySQL Server.

2

str(Mandatory)

This is a string in which you need to escape the special characters.


Return Value

This function returns a legal string which can be used with SQL queries.

PHP Version

This PHP function was first introduced in PHP version 5 and it works in all the later versions.

Example1

The following below is an example which illustrates the usage of the built-in PHP mysqli_real_escape_string() function (in a procedural style) -

//Creating a connection
$con = mysqli_connect("localhost", "root", "password", "mydb");
//Creating a table
mysqli_query($con, "CREATE TABLE my_team(Name VARCHAR(255), Country VARCHAR(255))");

$player = "Iwobi";
$country = "Nigeria";

//Inserting a record
$res = mysqli_query($con, "INSERT into my_team VALUES ('$player', '$country')");
if(!$res){
   print("Error occurred");
}else{
   print("Record inserted successfully");
}
	
print("\n");
	
$player = mysqli_real_escape_string($con, $player);
$country = mysqli_real_escape_string($con, $country);

//Inserting a record
$res = mysqli_query($con, "INSERT into my_team VALUES ('$player', '$country')");
if(!$res){
   print("Error occurred");
}else{
   print("Record inserted successfully");
}


//Closing the connection
mysqli_close($con);
?>

Output

When the above code is executed, it will produce the following result -

Error occurred
Record inserted successfully

Example2

In object oriented style the syntax of this function is $con->real_escape_string(); The following is the example of this function in an object oriented style $minus;

<?php
   //Connecting to the database
   $con = new mysqli("localhost", "root", "password", "test");

   //Creating a table
   $con->query("CREATE TABLE my_team(Name VARCHAR(255), Country VARCHAR(255))");

   $player = "Iwobi";
   $country = "Nigeria";

   //Inserting a record
   $res = $con->query("INSERT into my_team VALUES ('$player')");
   if(!$res){
      print("Error occurred");
   }else{
      print("Record inserted successfully");
   }
	
   print("\n");
	
   $player = $con->real_escape_string($player);

   //Inserting a record
   $res = $con->query("INSERT into my_team (Name) VALUES ('$player')");
   if(!$res){
      print("Error occurred");
   }else{
      print("Record inserted successfully");
   }

   //Closing the connection
   mysqli_close($con);
?>

Output

When the above code is executed, it will produce the following result -

Error occurred
Record inserted successfully

Example3

Try the following example below -

<?php
   $con = mysqli_connect("localhost","root","password","mydb");
   
   if (mysqli_connect_errno($con)){
      echo "Failed to connect to MySQL: " . mysqli_connect_error();
   }
   $myName = "Jr's";
   $myName = mysqli_real_escape_string($con,$myName);
   
   mysqli_query($con,"INSERT into emp (name) VALUES ('$myName')");
   mysqli_close($con);


Alright guys! This is where we are going to be rounding up for this tutorial post. In our next tutorial, we are going to be discussing about the mysqli_real_query() Function in PHP.

Do feel free to ask your questions where necessary and we will attend to them as soon as possible. If this tutorial was helpful to you, you can use the share button to share this tutorial.

Do follow us on our various social media handles available and also subscribe to our newsletter to get our tutorial posts delivered directly to your emails.

Thanks for reading and bye for now.