I am trying to help prevent SQL injection using mysqli_real_escape_string, I have the following:
<?php
$Connect = mysqli_connect ('', '', '', '');
if (mysqli_connect_errno())
{
die ("Couldn't Connect to the Database");
}
$String = "Hello, my name is (*$<>)*$)!*)_£)(!*£$&";
echo $String."<br><br>";
$Escaped = mysqli_real_escape_string($Connect, $String);
echo $Escaped;
?>
The problem is none of the characters that I keyboard slammed are being escaped? Even though they would be considered dangerous characters. All it does is output Hello, my name is (*$<>)*$)!*)_£)(!*£$&
in both examples.
Any suggestions?
Thank you
---------------------------
Doesn't matter... I missunderstood what mysqli_real_escape_string does... it adds it to quotes?