reference/mysqli/mysqli/real-escape-string.xml
fc174e8d6162091550edde46159917ee7e5a2e73
fc174e8d6162091550edde46159917ee7e5a2e73
...
...
@@ -3,7 +3,6 @@
3
3
<refentry xml:id="mysqli.real-escape-string" xmlns="http://docbook.org/ns/docbook">
4
4
<refnamediv>
5
5
<refname>mysqli::real_escape_string</refname>
6
-
<refname>mysqli::escape_string</refname>
7
6
<refname>mysqli_real_escape_string</refname>
8
7
<refpurpose>Escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection</refpurpose>
9
8
</refnamediv>
...
...
@@ -11,23 +10,19 @@
11
10
<refsect1 role="description">
12
11
&reftitle.description;
13
12
<para>&style.oop;</para>
14
-
<methodsynopsis role="oop">
15
-
<type>string</type><methodname>mysqli::escape_string</methodname>
16
-
<methodparam><type>string</type><parameter>escapestr</parameter></methodparam>
17
-
</methodsynopsis>
18
-
<methodsynopsis role="oop">
19
-
<type>string</type><methodname>mysqli::real_escape_string</methodname>
20
-
<methodparam><type>string</type><parameter>escapestr</parameter></methodparam>
13
+
<methodsynopsis role="mysqli">
14
+
<modifier>public</modifier> <type>string</type><methodname>mysqli::real_escape_string</methodname>
15
+
<methodparam><type>string</type><parameter>string</parameter></methodparam>
21
16
</methodsynopsis>
22
17
<para>&style.procedural;</para>
23
18
<methodsynopsis>
24
19
<type>string</type><methodname>mysqli_real_escape_string</methodname>
25
-
<methodparam><type>mysqli</type><parameter>link</parameter></methodparam>
26
-
<methodparam><type>string</type><parameter>escapestr</parameter></methodparam>
20
+
<methodparam><type>mysqli</type><parameter>mysql</parameter></methodparam>
21
+
<methodparam><type>string</type><parameter>string</parameter></methodparam>
27
22
</methodsynopsis>
28
23
<para>
29
24
This function is used to create a legal SQL string that you can use in an
30
-
SQL statement. The given string is encoded to an escaped SQL string,
25
+
SQL statement. The given string is encoded to produce an escaped SQL string,
31
26
taking into account the current character set of the connection.
32
27
</para>
33
28
<caution>
...
...
@@ -48,14 +43,16 @@
48
43
<variablelist>
49
44
&mysqli.link.description;
50
45
<varlistentry>
51
-
<term><parameter>escapestr</parameter></term>
46
+
<term><parameter>string</parameter></term>
52
47
<listitem>
53
48
<para>
54
49
The string to be escaped.
55
50
</para>
56
51
<para>
57
-
Characters encoded are <literal>NUL (ASCII 0), \n, \r, \, ', ", and
58
-
Control-Z</literal>.
52
+
Characters encoded are <literal>NUL (ASCII 0)</literal>,
53
+
<literal>\n</literal>, <literal>\r</literal>, <literal>\</literal>,
54
+
<literal>'</literal>, <literal>"</literal>, and
55
+
<keycombo action='simul'><keycap>CTRL</keycap><keycap>Z</keycap></keycombo>.
59
56
</para>
60
57
</listitem>
61
58
</varlistentry>
...
...
@@ -70,14 +67,6 @@
70
67
</para>
71
68
</refsect1>
72
69
73
-
<refsect1 role="errors">
74
-
&reftitle.errors;
75
-
<para>
76
-
Executing this function without a valid MySQLi connection passed in will
77
-
return &null; and emit <constant>E_WARNING</constant> level errors.
78
-
</para>
79
-
</refsect1>
80
-
81
70
<refsect1 role="examples">
82
71
&reftitle.examples;
83
72
<example>
...
...
@@ -86,102 +75,65 @@
86
75
<programlisting role="php">
87
76
<![CDATA[
88
77
<?php
89
-
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
90
78
91
-
/* check connection */
92
-
if (mysqli_connect_errno()) {
93
-
printf("Connect failed: %s\n", mysqli_connect_error());
94
-
exit();
95
-
}
96
-
97
-
$mysqli->query("CREATE TEMPORARY TABLE myCity LIKE City");
98
-
99
-
$city = "'s Hertogenbosch";
100
-
101
-
/* this query will fail, cause we didn't escape $city */
102
-
if (!$mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
103
-
printf("Error: %s\n", $mysqli->sqlstate);
104
-
}
79
+
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
80
+
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
105
81
106
-
$city = $mysqli->real_escape_string($city);
82
+
$city = "'s-Hertogenbosch";
107
83
108
84
/* this query with escaped $city will work */
109
-
if ($mysqli->query("INSERT into myCity (Name) VALUES ('$city')")) {
110
-
printf("%d Row inserted.\n", $mysqli->affected_rows);
111
-
}
112
-
113
-
$mysqli->close();
114
-
?>
85
+
$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'",
86
+
$mysqli->real_escape_string($city));
87
+
$result = $mysqli->query($query);
88
+
printf("Select returned %d rows.\n", $result->num_rows);
89
+
90
+
/* this query will fail, because we didn't escape $city */
91
+
$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'", $city);
92
+
$result = $mysqli->query($query);
115
93
]]>
116
94
</programlisting>
117
95
<para>&style.procedural;</para>
118
96
<programlisting role="php">
119
97
<![CDATA[
120
98
<?php
121
-
$link = mysqli_connect("localhost", "my_user", "my_password", "world");
122
99
123
-
/* check connection */
124
-
if (mysqli_connect_errno()) {
125
-
printf("Connect failed: %s\n", mysqli_connect_error());
126
-
exit();
127
-
}
100
+
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
101
+
$mysqli = mysqli_connect("localhost", "my_user", "my_password", "world");
128
102
129
-
mysqli_query($link, "CREATE TEMPORARY TABLE myCity LIKE City");
130
-
131
-
$city = "'s Hertogenbosch";
132
-
133
-
/* this query will fail, cause we didn't escape $city */
134
-
if (!mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
135
-
printf("Error: %s\n", mysqli_sqlstate($link));
136
-
}
137
-
138
-
$city = mysqli_real_escape_string($link, $city);
103
+
$city = "'s-Hertogenbosch";
139
104
140
105
/* this query with escaped $city will work */
141
-
if (mysqli_query($link, "INSERT into myCity (Name) VALUES ('$city')")) {
142
-
printf("%d Row inserted.\n", mysqli_affected_rows($link));
143
-
}
144
-
145
-
mysqli_close($link);
146
-
?>
106
+
$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'",
107
+
mysqli_real_escape_string($mysqli, $city));
108
+
$result = mysqli_query($mysqli, $query);
109
+
printf("Select returned %d rows.\n", mysqli_num_rows($result));
110
+
111
+
/* this query will fail, because we didn't escape $city */
112
+
$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'", $city);
113
+
$result = mysqli_query($mysqli, $query);
147
114
]]>
148
115
</programlisting>
149
-
&examples.outputs;
116
+
&examples.outputs.similar;
150
117
<screen>
151
118
<![CDATA[
152
-
Error: 42000
153
-
1 Row inserted.
119
+
Select returned 1 rows.
120
+
121
+
Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's-Hertogenbosch'' at line 1 in...
154
122
]]>
155
123
</screen>
156
124
</example>
157
125
</refsect1>
158
126
159
-
<refsect1 role="notes">
160
-
&reftitle.notes;
161
-
<note>
162
-
<para>
163
-
For those accustomed to using <function>mysql_real_escape_string</function>,
164
-
note that the arguments of <function>mysqli_real_escape_string</function>
165
-
differ from what <function>mysql_real_escape_string</function> expects.
166
-
The <parameter>link</parameter> identifier comes first in
167
-
<function>mysqli_real_escape_string</function>, whereas the string to be escaped
168
-
comes first in <function>mysql_real_escape_string</function>.
169
-
</para>
170
-
</note>
171
-
</refsect1>
172
-
173
127
<refsect1 role="seealso">
174
128
&reftitle.seealso;
175
129
<para>
176
130
<simplelist>
177
131
<member><function>mysqli_set_charset</function></member>
178
-
<member><function>mysqli_character_set_name</function></member>
179
132
</simplelist>
180
133
</para>
181
134
</refsect1>
182
135
183
136
</refentry>
184
-
185
137
<!-- Keep this comment at the end of the file
186
138
Local variables:
187
139
mode: sgml
188
140