How can the use of mysql_real_escape_string function prevent SQL injection attacks in PHP scripts?

SQL injection attacks occur when user input is not properly sanitized, allowing malicious SQL queries to be executed. Using the mysql_real_escape_string function in PHP helps prevent SQL injection by escaping special characters in user input before it is used in a SQL query. This function ensures that any malicious characters are treated as literal characters, rather than executable SQL code.

// Establish a connection to the database
$connection = mysqli_connect(&quot;localhost&quot;, &quot;username&quot;, &quot;password&quot;, &quot;database&quot;);

// Check if the connection is successful
if (!$connection) {
    die(&quot;Connection failed: &quot; . mysqli_connect_error());
}

// Sanitize user input using mysql_real_escape_string
$username = mysqli_real_escape_string($connection, $_POST[&#039;username&#039;]);
$password = mysqli_real_escape_string($connection, $_POST[&#039;password&#039;]);

// Use the sanitized input in a SQL query
$query = &quot;SELECT * FROM users WHERE username=&#039;$username&#039; AND password=&#039;$password&#039;&quot;;
$result = mysqli_query($connection, $query);

// Process the query result
if (mysqli_num_rows($result) &gt; 0) {
    // User authentication successful
} else {
    // User authentication failed
}

// Close the database connection
mysqli_close($connection);

Keywords

mysql_real_escape_string SQL injection PHP scripts security data sanitization

How can the use of mysql_real_escape_string function prevent SQL injection attacks in PHP scripts?

Keywords

Related Questions