When should mysql_real_escape_string be used in PHP scripts?
mysql_real_escape_string should be used in PHP scripts when inserting user input into a MySQL database to prevent SQL injection attacks. This function escapes special characters in a string to make it safe for use in SQL queries. It helps to protect your database from malicious input that could potentially harm your data or compromise your system's security.
// Connect to the database
$mysqli = new mysqli('localhost', 'username', 'password', 'database');
// Check connection
if ($mysqli->connect_error) {
die("Connection failed: " . $mysqli->connect_error);
}
// Escape user input before inserting into database
$user_input = "User's input that needs to be sanitized";
$escaped_input = $mysqli->real_escape_string($user_input);
// Insert escaped input into database
$query = "INSERT INTO table_name (column_name) VALUES ('$escaped_input')";
if ($mysqli->query($query) === TRUE) {
echo "Record inserted successfully";
} else {
echo "Error: " . $mysqli->error;
}
// Close connection
$mysqli->close();