whe would I need to use real_escape_string() function in mysqli class

whe  would I need to use real_escape_string()  function in mysqli class I read the
explantion in http://php.net/manual/en/function.stripslashes.php

but im not sure I understand what it does and when to use it
Who is Participating?
Cornelia YoderArtistCommented:
SQL Injection hacking uses certain characters to get access to your database structure and from that to your data.  mysql_real_escape_string() safeties those characters so they cannot be used in a query for hacking purposes.

ALL inputs, and I mean ALL, even hidden inputs, need to be safetied against hacking if they are ever used in any way in any query.

Most inputs should be checked directly ... if it is supposed to be a number, check that it is a number, if it is supposed to be one of three values, check that it is one of those three values, and etc.

Text input is the big problem, since it can be made to contain those special characters, and is not easily checked with a whitelist or value type, so you need to use a safety mechanism such as mysql_real_escape_string() to guard it.

EVERY input must be checked, remember that and you won't be coming back here next month asking how to recover from hacking :):)
Marco GasiFreelancerCommented:
A note: your link is to striplslahes not to real_escape_string() function: a typo?

real_escape_string() function places a backslash before some dangerous characters such as NUL (ASCII 0), \n, \r, \, ', ", and Control-Z. (http://it.php.net/manual/en/mysqli.real-escape-string.php) This is useful every time you have to insert values into a database preventing to insert bad data. As php manual says, you have to use this function every time you send a query to mysql.
Ray PaseurCommented:
Use it on everything that is not an internally generated integer.  It will cause no harm and may save your bacon some day!
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Nura111Author Commented:
is ti also a security issue if not using it?
Ray PaseurCommented:
Yes, it can prevent a foreign agent from injecting information into your queries.  Look up SQL injection on this and other sites
Nura111Author Commented:
Is it the same issue as not using htmlspecialchars() on a input from a user?
Is there a need to use both?
Nura111Author Commented:
another thing : so you mean to use:  mysql_real_escape_string()
on the input before its been used to insert to the db or other right?

so what is the issue when using {$row['id']} in an html form e.g
 without htmlspecialchars() before I been told its a secruity issue as well I don't understand why
Cornelia YoderArtistCommented:
You do not need to use both.  I personally prefer and use htmlspecialchars() on all text input.

The difference is that mysql_real_escape_string just safeties the SQL injection hacking, but not certain other kinds of things.   htmlspecialchars changes ALL special characters into their html &#xxx code equivalents.

The only drawback to using htmlspecialchars is that it takes a few more bytes in your database ... each special character takes 5 bytes instead of 1 ... so if you have a LOT of text with special characters stored, that might be a problem.

The advantage of using htmlspecialchars is that it safeties more things, for example not letting some evil javascript into your database that might be exploited later.
Ray PaseurCommented:
If you accept and store any external textual input, you need to filter it.  If, for example, you're expecting an English-language name you can expect that it will contain alphabetic characters, the space, apostrophe, hyphen, comma, and the period.  Example:

Leonard O'Pinth-Garnell, Jr.

A regular expression that would remove all the other stuff would look something like this (the caret inside the character class implies negation):

/[^ A-Z-,.]/i

So each time you received a name from an external source, you would apply the regular expression and you would thereby accept only known good values for your name field.

If you have unfiltered or marginally filtered data in your data base, you need to escape it before you send it to the browser output stream.  Otherwise you risk becoming an attack vector against your clients.  Example:

echo '<td>';
echo htmlentities($row["usertext"]);
echo '</td>';

I prefer to escape the data on the outbound side of things, rather than escaping the data before storing it.  If you escape before you put the data into the data base, you may have munged the data, and in any case, you have not stored the data that was sent to you, you have stored something that is a derivative work.  Search algorithms may not work correctly on the escaped data.  The origin of the term is uncertain, but a mung operation makes changes to the data in a way that may be irrevocable and that loses some of the original information.

Required reading:

Old, but still valuable:

Now having said that, you need to be aware that the whole field of security is growing rapidly.  The US Government has just put a crack team of 115 engineers to work at the National Security Agency for the purpose of studying the field.  The University of Maryland offers a full-time, four-year college major in IT Security.  So you must not assume that you can follow a few "best practices" and things will work out OK.  You need to be learning about the new threats all the time and reviewing your code to see if there are new threats that might cause you to need to refactor your old code.  It's never going to end, so you might as well join the rest of us who do our best to keep up to date on the threats that are around us.

Best regards, ~Ray
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.