PHP Doku:: Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection - mysqli.real-escape-string.html

Verlauf / Chronik / History: (3) anzeigen

Sie sind hier:
Doku-StartseitePHP-HandbuchFunktionsreferenzDatenbankerweiterungenAnbieterspezifische DatenbankerweiterungenMySQL Improved ExtensionThe MySQLi classmysqli::real_escape_string -- mysqli_real_escape_string

Ein Service von Reinhard Neidl - Webprogrammierung.

The MySQLi class

<<mysqli::real_connect -- mysqli_real_connect

mysqli::real_query -- mysqli_real_query>>

mysqli::real_escape_string

mysqli_real_escape_string

(PHP 5)

mysqli::real_escape_string -- mysqli_real_escape_stringEscapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection

Beschreibung

Objektorientierter Stil

string mysqli::escape_string ( string $escapestr )
string mysqli::real_escape_string ( string $escapestr )

Prozeduraler Stil

string mysqli_real_escape_string ( mysqli $link , string $escapestr )

This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to an escaped SQL string, taking into account the current character set of the connection.

Parameter-Liste

link

Nur bei prozeduralem Aufruf: Ein von mysqli_connect() oder mysqli_init() zurückgegebenes Verbindungsobjekt.

escapestr

The string to be escaped.

Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z.

Rückgabewerte

Returns an escaped string.

Beispiele

Beispiel #1 mysqli::real_escape_string() example

Objektorientierter Stil

<?php
$mysqli 
= new mysqli("localhost""my_user""my_password""world");

/* check connection */
if (mysqli_connect_errno()) {
    
printf("Connect failed: %s\n"mysqli_connect_error());
    exit();
}

$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");

$city "'s Hertogenbosch";

/* this query will fail, cause we didn't escape $city */
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    
printf("Error: %s\n"$mysqli->sqlstate);
}

$city $mysqli->real_escape_string($city);

/* this query with escaped $city will work */
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
    
printf("%d Row inserted.\n"$mysqli->affected_rows);
}

$mysqli->close();
?>

Prozeduraler Stil

<?php
$link 
mysqli_connect("localhost""my_user""my_password""world");

/* check connection */
if (mysqli_connect_errno()) {
    
printf("Connect failed: %s\n"mysqli_connect_error());
    exit();
}

mysqli_query($link"CREATE TEMPORARY TABLE myCity LIKE City");

$city "'s Hertogenbosch";

/* this query will fail, cause we didn't escape $city */
if (!mysqli_query($link"INSERT into myCity (Name) VALUES ('$city')")) {
    
printf("Error: %s\n"mysqli_sqlstate($link));
}

$city mysqli_real_escape_string($link$city);

/* this query with escaped $city will work */
if (mysqli_query($link"INSERT into myCity (Name) VALUES ('$city')")) {
    
printf("%d Row inserted.\n"mysqli_affected_rows($link));
}

mysqli_close($link);
?>

The above examples will output:

Error: 42000
1 Row inserted.

Siehe auch


4 BenutzerBeiträge:
- Beiträge aktualisieren...
Josef Toman
26.02.2010 15:14
For percent sign and underscore I use this:
<?php
$more_escaped
= addcslashes($escaped, '%_');
?>
vita dot plachy at seznam dot cz
9.11.2007 20:37
The above can be managed by the following function:

<?php
function search_escape($str, $char = '\\')
{
    return
ereg_replace('[%_]', $char . '\0', $str);
}
?>
tobias_demuth at web dot de
10.11.2005 17:54
Note, that if no connection is open, mysqli_real_escape_string() will return an empty string!
arnoud at procurios dot nl
7.10.2004 18:05
Note that this function will NOT escape _ (underscore) and % (percent) signs, which have special meanings in LIKE clauses.

As far as I know there is no function to do this, so you have to escape them yourself by adding a backslash in front of them.



PHP Powered Diese Seite bei php.net
The PHP manual text and comments are covered by the Creative Commons Attribution 3.0 License © the PHP Documentation Group - Impressum - mail("TO:Reinhard Neidl",...)