MySQLi_real_escape_string - Not Working?

Question

Octet 45 Newbie Poster

11 Years Ago

I am trying to help prevent SQL injection using mysqli_real_escape_string, I have the following:

<?php

    $Connect = mysqli_connect ('', '', '', '');

    if (mysqli_connect_errno())
    {
        die ("Couldn't Connect to the Database");
    }

    $String = "Hello, my name is (*$<>)*$)!*)_£)(!*£$&";

    echo $String."<br><br>";

    $Escaped = mysqli_real_escape_string($Connect, $String);

    echo $Escaped; 

?>

The problem is none of the characters that I keyboard slammed are being escaped? Even though they would be considered dangerous characters. All it does is output Hello, my name is (*$<>)*$)!*)_£)(!*£$& in both examples.

Any suggestions?

Thank you

---------------------------
Doesn't matter... I missunderstood what mysqli_real_escape_string does... it adds it to quotes?

php

Edited 11 Years Ago by Octet

2 Contributors
1 Reply
702 Views
17 Minutes Discussion Span
Latest Post 11 Years Ago Latest Post by GliderPilot

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

GliderPilot 33 Posting Whiz · Answer 1 · 2012-12-11T19:50:43+00:00

all mysqli_real_escape_string does is add a \ in front of the characters to neutralize them, it doesn't remove them. When you echo out the value PHP also uses the \ to output the literal character rather than interpurate it so you won't see the \ in your echo'd text