What is PhpDig?
PhpDig is a PHP MySQL based
Web Spider & Search Engine.

mysql_escape_string
Prev	XLI. MySQL Functions	Next

mysql_escape_string

Name

mysql_escape_string — Prepares a string for use in a MySQL query.

Synopsis

string mysql_escape_string(string); string string: String to escape

Returns

A string

Description

mysql_escape_string() replaces characters that have a special meaning in MySQL with an escape sequence. The function is used to escape the individual values for a query, rather than an entire query string. i.e.

// Wrong
$name = "Jimmy U'luue";
$query = "INSERT INTO table (name) VALUES ('$name')";
$query = mysql_escape_string ($query);


// Right
$name = "Jimmy U'luue";
$name = mysql_escape_string ($name);
$query = "INSERT INTO table (name) VALUES ('$name')";

In the first example listed, the query will be converted toINSERT INTO table (name) VALUES (\'Jimmy U\'luue\'). This is no longer a valid query, due to the escaping of the single quotes that used to delimit the name value.

In the second example, the query will be converted to INSERT INTO table (name) VALUES ('Jimmy U\'luue'). This query is valid; the quotes that delimit the string are intact, while the quote inside the string has been escaped. If the quote within the name had not been escaped, the query would have been broken by it.

The characters that are escaped are listed in the following table.

Character	ASCII Value	Escape Sequence
NUL	0	\0
newline	10	\n
carriage return	13	\r
SUB	26	\Z
"	34	\"
'	39	\'
\	92	\\

Version

PHP 4.0.3+

Example

Example 800. Show the characters that mysql_escape_string() escapes

<table border="1" cellpadding="5">
<tr>
    <td>Character</td>
    <td>ASCII Value</td>
    <td>Escape Sequence</td>
</tr>
<?php
$cell = '<td align="center">%s</td>';

for ($x=0; $x < 256; $x++) {
    $chr = chr ($x);
    $esc = mysql_escape_string ($chr);

    // Provide names for unprintable characters
    if ($esc != $chr) {
        switch ($x) {
            case 0:
                $chr = 'NUL';
                break;
            case 10:
                $chr = '\n';
                break;
            case 13:
                $chr = '\r';
                break;
            case 26:
                $chr = 'SUB';
                break;
        }
        printf ("<tr>$cell$cell$cell</tr>", $chr, $x, $esc);
    }
}
?>
</table>

Example 801. Escape a query using mysql_escape_string()

<?php
// Included code that connects to a MySQL server and sets a default database
// See the MySQL Functions chapter introduction for the source code for the file
include ('mysql_connect.inc.php');

// Escape any naught characters in $HTTP_GET_VARS['user']
$user = mysql_escape_string ($HTTP_GET_VARS['user']);

// Storing our query in a variable helps us debug more easily
$query = "SELECT * FROM table WHERE user = '$user'";

mysql_query ($query)
    or die ("Query '$query' failed with error message: \"" . mysql_error () . '"');

echo "Query '$query' succeeded.";
?>

Prev	Home	Next
mysql_error	Up	mysql_fetch_array

PHP Functions Essential Reference. Copyright © 2002 by New Riders Publishing (Authors: Zak Greant, Graeme Merrall, Torben Wilson, Brett Michlitsch). This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at http://www.opencontent.org/openpub/). The authors of this book have elected not to choose any options under the OPL. This online book was obtained from http://www.fooassociates.com/phpfer/ and is designed to provide information about the PHP programming language, focusing on PHP version 4.0.4 for the most part. The information is provided on an as-is basis, and no warranty or fitness is implied. All persons and entities shall have neither liability nor responsibility to any person or entity with respect to any loss or damage arising from the information contained in this book.