Using the mysqli_real_escape_string() PHP Function to Fight MySQL Injection
Posted on June 19, 2015 in MySQL, PHP by Matt Jennings
To prevent hackers from entering MySQL queries into forms that will do damage to my database, I need to escape this data by using the mysqli_real_escape_string() PHP function. Below is some example PHP from Coding Dojo on how to do this:
$_SESSION['name'] = $_POST['name'];
$_SESSION['quote'] = $_POST['quote'];
$esc_name = mysqli_real_escape_string($connection, $_SESSION['name']);
$esc_quote = mysqli_real_escape_string($connection, $_SESSION['quote']);
// Save a MySQL query as a $query variable using
// data from form fields
$insert_query = "INSERT INTO quotes(name, quote, created_at, updated_at) VALUES ('{$esc_name}', '{$esc_quote}', NOW(), NOW())";
// Pass the $query variable into a called function
// and save it as a $execute_query variable
$execute_insert_query = run_mysql_query($insert_query);