string mysql_escape_string(string $str)
(PHP 4, PHP 5)
| $str | The source string which will be escaped for use in a MySQL query. |
|---|---|
| RETURNS | The escaped string which may be used in a MySQL query. |
Performs escaping of special characters in MySQL necessary for passing values to the database server. Use this whenever you build an SQL query which uses a string literal. You should also use this function to prevent SQL injection attacks against your database.
// retrieve the user based on the login $sql = 'SELECT FROM tblUser WHERE username = ' . mysql_escape_string($_POST['username']) . ' AND password = ' . mysql_escape_string($_POST['password']);