How can special characters like quotes be safely included in SQL queries after using functions like mysql_real_escape_string?

Special characters like quotes can be safely included in SQL queries after using functions like mysql_real_escape_string by wrapping the escaped string in single quotes when constructing the SQL query. This ensures that the special characters are properly escaped and will not be interpreted as part of the SQL query.

// Assuming $conn is the database connection and $input contains the user input
$input = &quot;John&#039;s Book&quot;;
$escaped_input = mysqli_real_escape_string($conn, $input);
$sql = &quot;INSERT INTO table_name (column_name) VALUES (&#039;$escaped_input&#039;)&quot;;
mysqli_query($conn, $sql);

Keywords

PHP mysql_real_escape_string SQL injection special characters security

How can special characters like quotes be safely included in SQL queries after using functions like mysql_real_escape_string?

Keywords

Related Questions