We help IT Professionals succeed at work.

escape strings to be set to mysql queries

minnirok asked
Medium Priority
Last Modified: 2010-08-05

I have some strings I'll have to send to a php script to be used in sql statements. I have some concerns about single quotes, blackslashes, etc that may foul up the sql statement:

  "Hi, I'll use some single quotes ('')in this statement!"

If I try passing that as is I will meet certain doom. Is there some premade function in javascript to escape the characters that will give sql a problem?

Watch Question

Hi minnirok,

There is a premade function in PHP.  Probably mysql_escape_real_quotes() should do your bidding.
But in javascript?

I think it would be a function that replaces all ' characters with \'
I don't know if one already exists in javascript though.

Joe P


Hi Joe,

Yeah I saw the one in PHP but thought it'd be better to let the client do this work instead of putting it on the server? Don't know. I could make my own char replacement function if I have to.
Top Expert 2004

There is no built in function for Javascript that I know of. You can probably build one yourself, especially for quotes with simple regex in Javascript. BogoJoker, I believe you mean mysql_real_escape_string() which is a mysql library function. A similar one could be PHP's addslashes()
Top Expert 2004

As for your comment, minnirok about the client doing the work, it is infinitely better to have the server do the work. You can never trust the client since they could somehow put a process in between their escaping and the server receiving the data. Having the server do it means that the server last sees it and the user cannot do anything malicious anymore.
Oop, Zyloch your right.  I always try and remember the name of that function and always end up going to php.net and finding it anyways.  Hehe, thanks:

Agree with Zyloch.  The server should always have the last say, its much safer, and MUCH more predicatable because you have 100% control.  With javascript who knows, the user might even have javascript turned off!

Joe P

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts


Ok fair enough, so I just use it like this right:


    $passedParam1 = "My name is 'guy', I am from NYC";
    $passedParam2 = "My dog's name is 'Indy'";

    $strSql = "SELECT * FROM users WHERE field 1 = '" . mysql_real_escape_string($passedParam1) . "' AND field2 = '" . mysql_real_escape_string($passedParam2) . "'";

    // then execute.

Top Expert 2004

Quite right. You may also be interested in an alternative way to use it. It is really the same thing, but sometimes it is more organized:

$strSql = sprintf("SELECT * FROM %s", mysql_real_escape_string($table_name));

Of course, you would never have something that simple, but it gives you the general gist. If you have a lot of user variables, you may want to think about using sprintf to organize it a bit more.


I must be doing something wrong, just tried the following:

$str1= "hello there";

$str2 = mysql_real_escape_string($str1);
echo $str2;

but I don' get anything actually printed - just blank! What did I do wrong?


whoops nevermind - should have read the whole documentation page - we have to have a connection to the db before trying to use the function.

Thanks everyone.
Top Expert 2004

Yep :-) mysql_real_escape_string is a mysql library function, not a PHP one.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.