PHP mysql_real_escape_string() Function

Complete PHP MySQL Reference

Definition and Usage

The mysql_real_escape_string() function escapes special characters in a string for use in an SQL statement The follo ing characters are affecte!"

#$%% #n #r # & ' #$(a

This function returns the escape! string on success) or *+LS, on failure-

Syntax
mysql_real_escape_string(string)connection) Parameter string connection Description Require!- Specifies the string to .e escape! /ptional- Specifies the MySQL connection- 0f not specifie!) the last connection opene! .y mysql_connect() or mysql_pconnect() is use!-

Tips and Notes

Note 1se this function to pre2ent !ata.ase attac34

!xample "
56php 7con 8 mysql_connect('localhost') 'peter') 'a.c(9:'); if (47con) <

!ie(&Coul! not connect" & - mysql_error()); = >> some co!e to get username an! pass or! >> escape username an! pass or! for use in SQL 7user 8 mysql_real_escape_string(7user); 7p ! 8 mysql_real_escape_string(7p !); 7sql 8 'S,L,CT ? *R/M users @H,R, user8&' - 7user - '& +AB pass or!8&' - 7p ! - '&' >> more co!e mysql_close(7con); 6C

!xample #
Bata.ase attac3- This e$ample !emonstrates hat coul! happen if e !o not use the mysql_real_escape_string() function on the username an! pass or!" 56php 7con 8 mysql_connect('localhost') 'peter') 'a.c(9:'); if (47con) < !ie(&Coul! not connect" & - mysql_error()); = 7sql 8 'S,L,CT ? *R/M users @H,R, user8&<7_P/STD&user&E=& +AB pass or!8&<7_P/STD&p !&E=&'; mysql_query(7sql); >> @e !i!n&t chec3 username an! pass or!>> Coul! .e anything the user ante!4 ,$ample" 7_P/STD&user&E 8 &Fohn&; 7_P/STD&p !&E 8 '& /R &&8&'; >> some co!e mysql_close(7con); 6C The SQL sent oul! .e"

S,L,CT ? *R/M users @H,R, user8&Fohn& +AB pass or!8&& /R &&8&& This means that anyone coul! log in ithout a 2ali! pass or!4

!xample $
The correct ay to !o it to pre2ent !ata.ase attac3" 56php function chec3_input(72alue) < >> Stripslashes if (get_magic_quotes_gpc()) < 72alue 8 stripslashes(72alue); = >> Quote if not a num.er if (4is_numeric(72alue)) < 72alue 8 '&' - mysql_real_escape_string(72alue) - '&'; = return 72alue; = 7con 8 mysql_connect('localhost') 'peter') 'a.c(9:'); if (47con) < !ie(&Coul! not connect" & - mysql_error()); = >> Ma3e a safe SQL 7user 8 chec3_input(7_P/STD&user&E); 7p ! 8 chec3_input(7_P/STD&p !&E); 7sql 8 'S,L,CT ? *R/M users @H,R, user87user +AB pass or!87p !'; mysql_query(7sql); mysql_close(7con); 6C

%yS&' ( S&' )n*ection Pre+ention

0f you ha2e e2er ta3en ra user input an! inserte! it into a MySQL !ata.ase there&s a chance that you ha2e left yourself i!e open for a security issue 3no n as SQL Injection- This lesson ill teach you ho to help pre2ent this from happening an! help you secure your scripts an! MySQL statements,d+ertise on Ti-ag.com

/0at is S&' )n*ection

SQL inFection refers to the act of someone inserting a MySQL statement to .e run on your !ata.ase ithout your 3no le!ge- 0nFection usually occurs hen you as3 a user for input) li3e their name) an! instea! of a name they gi2e you a MySQL statement that you ill un3no ingly run on your !ata.ase-

S&' )n*ection !xample

Gelo is a sample string that has .een gathere! from a normal user an! a .a! user trying to use SQL 0nFection- @e as3e! the users for their login) hich ill .e use! to run a S,L,CT statement to get their information-

%yS&' 1 PHP 2ode

// a good user's name $name = "timmy"; $query = "SELECT * FROM ustomers !"ERE username = '$name'"; e #o "$orma%& " ' $query ' "()r /*"; // user in+ut t#at uses S,L -n.e tion $name/)ad = "' OR 0'"; // our MyS,L query )ui%der1 #o2e3er1 not a 3ery sa4e one $query/)ad = "SELECT * FROM ustomers !"ERE username = '$name/)ad'"; // dis+%ay 2#at t#e ne2 query 2i%% %oo5 %i5e1 2it# in.e tion e #o "-n.e tion& " ' $query/)ad;

Display
Aormal" S,L,CT ? *R/M customers @H,R, username 8 &timmy& 0nFection" S,L,CT ? *R/M customers @H,R, username 8 && /R (&&

The normal query is no pro.lem) as our MySQL statement ill Fust select e2erything from customers that has a username equal to timmyHo3e+er) the inFection attac3 has actually ma!e our query .eha2e !ifferently than e inten!e!Gy using a single quote (&) they ha2e en!e! the string part of our MySQL query

username 8 & &

an! then a!!e! on to our @H,R, statement ith an /R clause of ( (al ays true)

username 8 & & 45 "

This /R clause of ( ill al ays .e true an! so e+ery single entry in the 'customers' ta.le oul! .e selecte! .y this statement4

%ore Serious S&' )n*ection ,ttac6s

+lthough the a.o2e e$ample !isplaye! a situation here an attac3er coul! possi.ly get access to a lot of information they shoul!n&t ha2e) the attac3s can .e a lot orse- *or e$ample an attac3er coul! empty out a ta.le .y e$ecuting a DELETE statement-

%yS&' 1 PHP 2ode

$name/e3i% = "'; 6ELETE FROM ustomers !"ERE 0 or username = '"; // our MyS,L query )ui%der rea%%y s#ou%d #e 5 4or in.e tion $query/e3i% = "SELECT * FROM ustomers !"ERE username = '$name/e3i%'"; // t#e ne2 e3i% in.e tion query 2ou%d in %ude a 6ELETE statement e #o "-n.e tion& " ' $query/e3i%;

Display
S,L,CT ? *R/M customers @H,R, username 8 & &; B,L,T, *R/M customers @H,R, ( or username 8 & & 0f you ere run this query) then the inFecte! B,L,T, statement oul! completely empty your 'customers' ta.le- Ao that you 3no this is a pro.lem) ho can you pre2ent it6

)n*ection Pre+ention ( mysql_real_escape_string()

Luc3y for you) this pro.lem has .een 3no n for a hile an! PHP has a speciallyHma!e function to pre2ent these attac3s- +ll you nee! to !o is use the mouthful of a function mysql_real_escape_string@hat mysql_real_escape_string !oes is ta3e a string that is going to .e use! in a MySQL query an! return the same string ith all SQL 0nFection attempts safely escape!- Gasically) it ill replace those trou.lesome quotes(&) a user might enter ith a MySQLHsafe su.stitute) an escape! quote #&Lets try out this function on our t o pre2ious inFection attac3s an! see ho it or3s-

%yS&' 1 PHP 2ode

//$OTE& you must )e // onne t to MyS,L onne ted to t#e data)ase to use t#is 4un tion7

$name/)ad = "' OR 0'"; $name/)ad = mysq%/rea%/es a+e/string8$name/)ad9; $query/)ad = "SELECT * FROM ustomers !"ERE username = '$name/)ad'"; e #o "Es a+ed :ad -n.e tion& ()r /*" ' $query/)ad ' "()r /*"; $name/e3i% = "'; 6ELETE FROM ustomers !"ERE 0 or username = '";

$name/e3i% = mysq%/rea%/es a+e/string8$name/e3i%9; $query/e3i% = "SELECT * FROM ustomers !"ERE username = '$name/e3i%'"; e #o "Es a+ed E3i% -n.e tion& ()r /*" ' $query/e3i%;

Display
,scape! Ga! 0nFection" S,L,CT ? *R/M customers @H,R, username 8 &#& /R (#&& ,scape! ,2il 0nFection" S,L,CT ? *R/M customers @H,R, username 8 &#&; B,L,T, *R/M customers @H,R, ( or username 8 #&& Aotice that those e2il quotes ha2e .een escape! ith a .ac3slash #) pre2enting the inFection attac3- Ao all these queries ill !o is try to fin! a username that is Fust completely ri!iculous"

Ga!" #& /R (#& ,2il" #&; B,L,T, *R/M customers @H,R, ( or username 8 #&

+n! 0 !on&t thin3 e ha2e to orry a.out those silly usernames getting access to our MySQL !ata.ase- So please !o use the han!y mysql_real_escape_string() function to help pre2ent SQL 0nFection attac3s on your e.sites- Iou ha2e no e$cuse not to use it after rea!ing this lesson4