Skip to main content

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

9
  • 33
    This is the best you can do with legacy mysql extension. For new code, you're advised to switch to mysqli or PDO.
    – Álvaro González
    Commented Feb 26, 2013 at 12:42
  • 7
    I am not agree with this 'a specially-made function to prevent these attacks'. I think that mysql_real_escape_string purpose is in allow to build correct SQL query for every input data-string. Prevention sql-injection is the side-effect of this function.
    – sectus
    Commented Jul 9, 2013 at 5:01
  • 5
    you dont use functions to write correct input data-strings. You just write correct ones that don't need escaping or have already been escaped. mysql_real_escape_string() may have been designed with the purpose you mention in mind, but its only value is preventing injection.
    – Nazca
    Commented Mar 12, 2014 at 22:38
  • 22
    WARNING! mysql_real_escape_string() is not infallible.
    – eggyal
    Commented Apr 25, 2014 at 14:50
  • 10
    mysql_real_escape_string is now deprecated, so its no longer a viable option. It will be removed in the future from PHP. Its best to move onto what the PHP or MySQL folks recommend.
    – jww
    Commented Apr 8, 2015 at 6:41