What is PhpDig?
PhpDig is a PHP MySQL based
Web Spider & Search Engine.



mysql_escape_string — Prepares a string for use in a MySQL query.


string mysql_escape_string(string);
string string: String to escape


A string


mysql_escape_string() replaces characters that have a special meaning in MySQL with an escape sequence. The function is used to escape the individual values for a query, rather than an entire query string. i.e.

// Wrong
$name = "Jimmy U'luue";
$query = "INSERT INTO table (name) VALUES ('$name')";
$query = mysql_escape_string ($query);

// Right
$name = "Jimmy U'luue";
$name = mysql_escape_string ($name);
$query = "INSERT INTO table (name) VALUES ('$name')";
In the first example listed, the query will be converted toINSERT INTO table (name) VALUES (\'Jimmy U\'luue\'). This is no longer a valid query, due to the escaping of the single quotes that used to delimit the name value.

In the second example, the query will be converted to INSERT INTO table (name) VALUES ('Jimmy U\'luue'). This query is valid; the quotes that delimit the string are intact, while the quote inside the string has been escaped. If the quote within the name had not been escaped, the query would have been broken by it.

The characters that are escaped are listed in the following table.

Character ASCII Value Escape Sequence
NUL 0 \0
newline 10 \n
carriage return 13 \r
SUB 26 \Z
" 34 \"
' 39 \'
\ 92 \\


PHP 4.0.3+


Example 800. Show the characters that mysql_escape_string() escapes

<table border="1" cellpadding="5">
    <td>ASCII Value</td>
    <td>Escape Sequence</td>
$cell = '<td align="center">%s</td>';

for ($x=0; $x < 256; $x++) {
    $chr = chr ($x);
    $esc = mysql_escape_string ($chr);

    // Provide names for unprintable characters
    if ($esc != $chr) {
        switch ($x) {
            case 0:
                $chr = 'NUL';
            case 10:
                $chr = '\n';
            case 13:
                $chr = '\r';
            case 26:
                $chr = 'SUB';
        printf ("<tr>$cell$cell$cell</tr>", $chr, $x, $esc);

Example 801. Escape a query using mysql_escape_string()

// Included code that connects to a MySQL server and sets a default database
// See the MySQL Functions chapter introduction for the source code for the file
include ('');

// Escape any naught characters in $HTTP_GET_VARS['user']
$user = mysql_escape_string ($HTTP_GET_VARS['user']);

// Storing our query in a variable helps us debug more easily
$query = "SELECT * FROM table WHERE user = '$user'";

mysql_query ($query)
    or die ("Query '$query' failed with error message: \"" . mysql_error () . '"');

echo "Query '$query' succeeded.";

PHP Functions Essential Reference. Copyright © 2002 by New Riders Publishing (Authors: Zak Greant, Graeme Merrall, Torben Wilson, Brett Michlitsch). This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at The authors of this book have elected not to choose any options under the OPL. This online book was obtained from and is designed to provide information about the PHP programming language, focusing on PHP version 4.0.4 for the most part. The information is provided on an as-is basis, and no warranty or fitness is implied. All persons and entities shall have neither liability nor responsibility to any person or entity with respect to any loss or damage arising from the information contained in this book.

Powered by: vBulletin Version 3.0.7
Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Copyright © 2001 - 2005, ThinkDing LLC. All Rights Reserved.