I am trying to help prevent SQL injection using mysqli_real_escape_string, I have the following:


    $Connect = mysqli_connect ('', '', '', '');

    if (mysqli_connect_errno())
        die ("Couldn't Connect to the Database");

    $String = "Hello, my name is (*$<>)*$)!*)_£)(!*£$&";

    echo $String."<br><br>";

    $Escaped = mysqli_real_escape_string($Connect, $String);

    echo $Escaped; 


The problem is none of the characters that I keyboard slammed are being escaped? Even though they would be considered dangerous characters. All it does is output Hello, my name is (*$<>)*$)!*)_£)(!*£$& in both examples.

Any suggestions?

Thank you

Doesn't matter... I missunderstood what mysqli_real_escape_string does... it adds it to quotes?

Edited by Octet

4 Years
Discussion Span
Last Post by GliderPilot

all mysqli_real_escape_string does is add a \ in front of the characters to neutralize them, it doesn't remove them. When you echo out the value PHP also uses the \ to output the literal character rather than interpurate it so you won't see the \ in your echo'd text

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.