array ( 0 => 'index.php', 1 => 'PHP Manual', ), 'head' => array ( 0 => 'UTF-8', 1 => 'uk', ), 'this' => array ( 0 => 'mysqli.real-escape-string.php', 1 => 'mysqli::real_escape_string', 2 => 'Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection', ), 'up' => array ( 0 => 'class.mysqli.php', 1 => 'mysqli', ), 'prev' => array ( 0 => 'mysqli.real-connect.php', 1 => 'mysqli::real_connect', ), 'next' => array ( 0 => 'mysqli.real-query.php', 1 => 'mysqli::real_query', ), 'alternatives' => array ( ), 'source' => array ( 'lang' => 'en', 'path' => 'reference/mysqli/mysqli/real-escape-string.xml', ), 'history' => array ( ), ); $setup["toc"] = $TOC; $setup["toc_deprecated"] = $TOC_DEPRECATED; $setup["parents"] = $PARENTS; manual_setup($setup); contributors($setup); ?>

mysqli::real_escape_string

mysqli_real_escape_string

(PHP 5, PHP 7, PHP 8)

mysqli::real_escape_string -- mysqli_real_escape_stringEscapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection

Опис

Об'єктно-орієнтований стиль

public mysqli::real_escape_string(string $string): string

Процедурний стиль

mysqli_real_escape_string(mysqli $mysql, string $string): string

This function is used to create a legal SQL string that you can use in an SQL statement. The given string is encoded to produce an escaped SQL string, taking into account the current character set of the connection.

Застереження

Security: the default character set

The character set must be set either at the server level, or with the API function mysqli_set_charset() for it to affect mysqli_real_escape_string(). See the concepts section on character sets for more information.

Параметри

mysql

Тільки процедурний стиль: об'єкт mysqli, якого повертає функція mysqli_connect() або mysqli_init()

string

The string to be escaped.

Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and CTRL+Z.

Значення, що повертаються

Returns an escaped string.

Приклади

Приклад #1 mysqli::real_escape_string() example

Об'єктно-орієнтований стиль

<?php

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

$city = "'s-Hertogenbosch";

/* this query with escaped $city will work */
$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'",
$mysqli->real_escape_string($city));
$result = $mysqli->query($query);
printf("Select returned %d rows.\n", $result->num_rows);

/* this query will fail, because we didn't escape $city */
$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'", $city);
$result = $mysqli->query($query);

Процедурний стиль

<?php

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = mysqli_connect("localhost", "my_user", "my_password", "world");

$city = "'s-Hertogenbosch";

/* this query with escaped $city will work */
$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'",
mysqli_real_escape_string($mysqli, $city));
$result = mysqli_query($mysqli, $query);
printf("Select returned %d rows.\n", mysqli_num_rows($result));

/* this query will fail, because we didn't escape $city */
$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'", $city);
$result = mysqli_query($mysqli, $query);

Подані вище приклади виведуть щось схоже на:

Select returned 1 rows.

Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's-Hertogenbosch'' at line 1 in...

Прогляньте також