Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’m developing my personal web site using php. everything is ok but I just read mysql_real_escape_string manual in php.net and found two things:
- This function must always (with few exceptions) be used to make data safe before sending a query to MySQL.
- mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.
I have two questions:
1-what are these exceptions?
2- how to escape those characters?
To my great disappointment, the manual page says complete rubbish, and they refuse to make it correct.
So, quite contrary, there are only few cases when you need this function. So to say ONLY ONE: when you are adding a string into SQL query.
It doesn’t matter too much. As long as you are using LIKE operator on purpose, these characters won’t do any harm.
But if you want to escape the string going to LIKE statement, you can use this code
(note the slash – it is also required to be escaped as manual stating it. also note the
Cletter in the function name).After this procedure you may use the resulting
$likevariable whatever way you are using to build your queries – either quote and escape them or use in the prepared statement.