MySQL real escape string

Question

I was trying to sanitize inputs to my PHP login using addslashes and mysql_real_escape_string. Using addslashes works, but mysql_real_escape_string will not.

Here's an example of what allows me to log in correctly:

$user = addslashes($_POST['user']);<br/>
$password = addslashes($_POST['password']);

And this will not:

$user = mysql_real_escape_string($_POST['user']);<br/>
$password = mysql_real_escape_string($_POST['password']);

Also, some of my other fields contain apostrophes. Nothing is returned when using addslashes, since the entry in the DB isn't escaped. I was wondering if using mysql_real_escape_string could fix this, but I don't know how.

Answer 1

Always use mysql_real_escape_string instead of addslashes. Make sure you are connected to the database before running it otherwise you will error.

Answer 2

mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE.

And Most important thing is don't trust user input.

So, use htmlspecialchars and strip_tags for better security.

Answer 3

Sometimes user may type ', this symbol but sql treat as an different way and let it not allow to insert in to tables,we cant restrict the user so that we use MySQL real escape string to avoid this kind of error

Note: if you implement this it should be connect to database else it wont work