Home/ Questions/Q 9113275
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T03:55:44+00:00

I have a dilemma how should I mysql_real_escape_string() my variables without inserting them into

  • 0

I have a dilemma how should I mysql_real_escape_string() my variables without inserting them into the database \n, \r, \x00 when someone uses " ' or <br> on my comment field, I tried with preg_replace instead of mysql_real_escape_string, but seems I don’t know exactly how to allow all the chars and signs I want.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You should be able to use str_replace to help with this:

    mysql_real_escape_string(str_replace(array("\n", "\r\n", "\x00", '"', '\''), '', $input));

    Having said that, it is a good idea to switch to mysqli or PDO for database read / write. Both of these allow prepared statements, which reduce the risk of SQL injections.

    Here’s an example of PDO:

    $stmt = $PDOConnection->prepare('INSERT INTO example_table (input_field) VALUES (:input_field)');
$stmt->bindParam(':input_field', $input);
$stmt->execute();
    • 0