I am trying to help prevent SQL injection using mysqli_real_escape_string, I have the following:

<?php

    $Connect = mysqli_connect ('', '', '', '');

    if (mysqli_connect_errno())
    {
        die ("Couldn't Connect to the Database");
    }

    $String = "Hello, my name is (*$<>)*$)!*)_£)(!*£$&";

    echo $String."<br><br>";

    $Escaped = mysqli_real_escape_string($Connect, $String);

    echo $Escaped; 

?>

The problem is none of the characters that I keyboard slammed are being escaped? Even though they would be considered dangerous characters. All it does is output Hello, my name is (*$<>)*$)!*)_£)(!*£$& in both examples.

Any suggestions?

Thank you

---------------------------
Doesn't matter... I missunderstood what mysqli_real_escape_string does... it adds it to quotes?

all mysqli_real_escape_string does is add a \ in front of the characters to neutralize them, it doesn't remove them. When you echo out the value PHP also uses the \ to output the literal character rather than interpurate it so you won't see the \ in your echo'd text

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.