Escape String Literals for SQL

To run a SQL query with text data containing single quotes ‘ as well as other SQL reserved punctuations, and to prevent SQL injections, you will always want to escape the text values before using them in a SQL query.

mysql_real_escape_string() calls MySQL’s library function mysql_real_escape_string, which prepends backslashes to the following characters: x00, n, r, , ‘, ” and x1a.


“SELECT * FROM users WHERE user=’%s’ AND password=’%s'”, mysql_real_escape_string($user), mysql_real_escape_string($password)

Permanent link to this article:

Leave a Reply

Your email address will not be published.