===== Syntax =====

<code php>
string mysql_escape_string(string $str)
</code>

//(PHP 4, PHP 5)//

^ $str | The source string which will be escaped for use in a MySQL query. |
^ RETURNS | The escaped string which may be used in a MySQL query. |

===== What it Does =====

Performs escaping of special characters in MySQL necessary for passing values to the database server.  Use this whenever you build an SQL query which uses a string literal.  You should also use this function to prevent SQL injection attacks against your database.

===== Example =====

<code php>
// retrieve the user based on the login
$sql = 'SELECT FROM tblUser
    WHERE username = ' . mysql_escape_string($_POST['username']) . '
    AND password = ' . mysql_escape_string($_POST['password']);
</code>