I am trying to help prevent SQL injection using mysqli_real_escape_string, I have the following:


    $Connect = mysqli_connect ('', '', '', '');

    if (mysqli_connect_errno())
        die ("Couldn't Connect to the Database");

    $String = "Hello, my name is (*$<>)*$)!*)_£)(!*£$&";

    echo $String."<br><br>";

    $Escaped = mysqli_real_escape_string($Connect, $String);

    echo $Escaped; 


The problem is none of the characters that I keyboard slammed are being escaped? Even though they would be considered dangerous characters. All it does is output Hello, my name is (*$<>)*$)!*)_£)(!*£$& in both examples.

Any suggestions?

Thank you

Doesn't matter... I missunderstood what mysqli_real_escape_string does... it adds it to quotes?

all mysqli_real_escape_string does is add a \ in front of the characters to neutralize them, it doesn't remove them. When you echo out the value PHP also uses the \ to output the literal character rather than interpurate it so you won't see the \ in your echo'd text