Why should you use MySQLi Real Escape String

What is striplashes for? [Duplicate] - PHP, MySQL, function

Possible duplicates:
Using strip slashes after mysql_real_escape_string

I've been reading about SQL injection prevention lately and am trying to get some understanding of its various functions so that I can learn the basics.

I've read about it and I understand it's basically escape characters that it considers "special" so it doesn't get confused for SQL syntax?

Assuming this is true at least to some extent, is there a need to use function combined with the? I wonder what is and what it is for.


11 for the answer № 1

If you used to type in right after using you will effectively undo it. There are probably other reasons for using it, but in my case I've only ever needed it to undo the horror that magical quotes are. It's actually the opposite of.

does not necessarily Escape input like doing and they cannot be used for the same purpose.

Even better than, you should familiarize yourself with prepared instructions as in. Then you don't even have to worry or (except for magic quotes).

3 for the answer № 2

The function characters that are masked with a backslash are not masked. . It is often used for strings that are escaped or when your PHP configuration has enabled.

When using SQL escaping functions like There is no need to use because the MySQL adapter only loses the values ​​when it is inserted into the database, the slashes do not stay in the actual values. If you'd use on a variable that you've already escaped with, the slashes are removed as if using them - pretty pointless.

If your goal is to prevent SQL injection, I would highly recommend checking out MySQLi or PDO as opposed to the older methods. Both MySQLi and PDO provide prepared statements which, when used correctly, prevent SQL injection without you having to remember to call special escape functions or Worry about whether they'll change your data.

0 for the answer № 3

Check out


The escape functions add slashes "" to escape characters that can be used to terminate valid query STRINGS (not the query itself) to prevent injection. The Stripslashes feature is used to remove these slashes. However, they are not useful for creating query strings because they remove the required slashes.

Results from MySQL are not "escaped", so strip slashes are not needed when dealing with results.

-1 for the answer № 4

The Stripslashes function is used for


The output of the code above is:

For more details: