Security: the default character set

mysql_real_escape_string Escapes special characters in a string for use in an SQL statement &mysql.alternative.note; mysqli_real_escape_string PDO::quote &reftitle.description; stringmysql_real_escape_string stringunescaped_string resourcelink_identifierNULL Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query. If binary data is to be inserted, this function must be used. mysql_real_escape_string calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a. This function must always (with few exceptions) be used to make data safe before sending a query to MySQL. Security: the default character set The character set must be set either at the server level, or with the API function mysql_set_charset for it to affect mysql_real_escape_string. See the concepts section on character sets for more information. &reftitle.parameters; unescaped_string The string that is to be escaped. &mysql.linkid.description; &reftitle.returnvalues; Returns the escaped string, or &false; on error. &reftitle.errors; Executing this function without a MySQL connection present will also emit E_WARNING level PHP errors. Only execute this function with a valid MySQL connection present. &reftitle.examples; Simple <function>mysql_real_escape_string</function> example ]]> <function>mysql_real_escape_string</function> requires a connection example This example demonstrates what happens if a MySQL connection is not present when calling this function. ]]> &example.outputs.similar; An example SQL Injection Attack ]]> The query sent to MySQL: This would allow anyone to log in without a valid password. &reftitle.notes; A MySQL connection is required before using mysql_real_escape_string otherwise an error of level E_WARNING is generated, and &false; is returned. If link_identifier isn't defined, the last MySQL connection is used. If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks. mysql_real_escape_string does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE. &reftitle.seealso; mysql_set_charset mysql_client_encoding