(PHP 5, PHP 7, PHP 8)
mysqli::real_escape_string -- mysqli_real_escape_string — Maskiert Sonderzeichen in einer Zeichenkette zur Verwendung in einer SQL-Anweisung, wobei der aktuelle Zeichensatz der Verbindung berücksichtigt wird
Objektorientierter Stil
Prozeduraler Stil
Diese Funktion wird verwendet, um eine zulässige SQL-Zeichenkette zu erstellen, die in einer SQL-Anweisung verwendet werden kann. Die angegebene Zeichenkette wird kodiert, um eine maskierte SQL-Zeichenkette zu erzeugen, wobei der aktuelle Zeichensatz der Verbindung zugrunde gelegt wird.
Damit sich der Zeichensatz auf mysqli_real_escape_string() auswirkt, muss er entweder auf der Server-Ebene oder mit der API-Funktion mysqli_set_charset() gesetzt werden. Weitere Informationen zu Zeichensätzen sind im Abschnitt Konzepte zu finden.
mysqlNur bei prozeduralem Aufruf: ein von mysqli_connect() oder mysqli_init() zurückgegebenes mysqli-Objekt.
stringDie Zeichenkette, die maskiert werden soll
Folgende Zeichen werden kodiert: NUL (ASCII 0),
\n, \r, \,
', " und
CTRL+Z.
Gibt eine maskierte Zeichenkette zurück.
Beispiel #1 mysqli::real_escape_string()-Beispiel
Objektorientierter Stil
<?php
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");
$city = "'s-Hertogenbosch";
/* diese Abfrage mit maskiertem $city funktioniert */
$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'",
$mysqli->real_escape_string($city));
$result = $mysqli->query($query);
printf("Select gab %d Zeilen zurück.\n", $result->num_rows);
/* diese Abfrage schlägt fehl, weil wir $city nicht maskiert haben */
$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'", $city);
$result = $mysqli->query($query);Prozeduraler Stil
<?php
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$mysqli = mysqli_connect("localhost", "my_user", "my_password", "world");
$city = "'s-Hertogenbosch";
/* diese Abfrage mit maskiertem $city funktioniert */
$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'",
mysqli_real_escape_string($mysqli, $city));
$result = mysqli_query($mysqli, $query);
printf("Select gab %d Zeilen zurück.\n", mysqli_num_rows($result));
/* diese Abfrage schlägt fehl, weil wir $city nicht maskiert haben */
$query = sprintf("SELECT CountryCode FROM City WHERE name='%s'", $city);
$result = mysqli_query($mysqli, $query);Oben gezeigte Beispiele erzeugen eine ähnliche Ausgabe wie:
Select gab 1 Zeilen zurück. Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's-Hertogenbosch'' at line 1 in...
You can avoid all character escaping issues (on the PHP side) if you use prepare() and bind_param(), as an alternative to placing arbitrary string values in SQL statements. This works because bound parameter values are NOT passed via the SQL statement syntax.For percent sign and underscore I use this:
<?php
$more_escaped = addcslashes($escaped, '%_');
?>Note that this function will NOT escape _ (underscore) and % (percent) signs, which have special meanings in LIKE clauses.
As far as I know there is no function to do this, so you have to escape them yourself by adding a backslash in front of them.Presenting several UTF-8 / Multibyte-aware escape functions.
These functions represent alternatives to mysqli::real_escape_string, as long as your DB connection and Multibyte extension are using the same character set (UTF-8), they will produce the same results by escaping the same characters as mysqli::real_escape_string.
This is based on research I did for my SQL Query Builder class:
https://github.com/twister-php/sql
<?php
/**
* Returns a string with backslashes before characters that need to be escaped.
* As required by MySQL and suitable for multi-byte character sets
* Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and ctrl-Z.
*
* @param string $string String to add slashes to
* @return $string with `\` prepended to reserved characters
*
* @author Trevor Herselman
*/
if (function_exists('mb_ereg_replace'))
{
function mb_escape(string $string)
{
return mb_ereg_replace('[\x00\x0A\x0D\x1A\x22\x27\x5C]', '\\\0', $string);
}
} else {
function mb_escape(string $string)
{
return preg_replace('~[\x00\x0A\x0D\x1A\x22\x27\x5C]~u', '\\\$0', $string);
}
}
?>
Characters escaped are (the same as mysqli::real_escape_string):
00 = \0 (NUL)
0A = \n
0D = \r
1A = ctl-Z
22 = "
27 = '
5C = \
Note: preg_replace() is in PCRE_UTF8 (UTF-8) mode (`u`).
Enhanced version:
When escaping strings for `LIKE` syntax, remember that you also need to escape the special characters _ and %
So this is a more fail-safe version (even when compared to mysqli::real_escape_string, because % characters in user input can cause unexpected results and even security violations via SQL injection in LIKE statements):
<?php
/**
* Returns a string with backslashes before characters that need to be escaped.
* As required by MySQL and suitable for multi-byte character sets
* Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and ctrl-Z.
* In addition, the special control characters % and _ are also escaped,
* suitable for all statements, but especially suitable for `LIKE`.
*
* @param string $string String to add slashes to
* @return $string with `\` prepended to reserved characters
*
* @author Trevor Herselman
*/
if (function_exists('mb_ereg_replace'))
{
function mb_escape(string $string)
{
return mb_ereg_replace('[\x00\x0A\x0D\x1A\x22\x25\x27\x5C\x5F]', '\\\0', $string);
}
} else {
function mb_escape(string $string)
{
return preg_replace('~[\x00\x0A\x0D\x1A\x22\x25\x27\x5C\x5F]~u', '\\\$0', $string);
}
}
?>
Additional characters escaped:
25 = %
5F = _
Bonus function:
The original MySQL `utf8` character-set (for tables and fields) only supports 3-byte sequences.
4-byte characters are not common, but I've had queries fail to execute on 4-byte UTF-8 characters, so you should be using `utf8mb4` wherever possible.
However, if you still want to use `utf8`, you can use the following function to replace all 4-byte sequences.
<?php
// Modified from: https://stackoverflow.com/a/24672780/2726557
function mysql_utf8_sanitizer(string $str)
{
return preg_replace('/[\x{10000}-\x{10FFFF}]/u', "\xEF\xBF\xBD", $str);
}
?>
Pick your poison and use at your own risk!If you wonder why (besides \, ' and ") NUL (ASCII 0), \n, \r, and Control-Z are escaped: it is not to prevent sql injection, but to prevent your sql logfile to get unreadable.Caution when escaping the % and _ wildcard characters. According to an often overlooked note at the bottom of:
https://dev.mysql.com/doc/refman/5.7/en/string-literals.html#character-escape-sequences
the escape sequences \% and \_ will ONLY be interpreted as % and _, *if* they occur in a LIKE! (Same for MySQL 8.0)
In regular string literals, the escape sequences \% and \_ are treated as those two character pairs. So if those escape sequences appear in a WHERE "=" instead of a WHERE LIKE, they would NOT match a single % or _ character!
Consequently, one MUST use two "escape" functions: The real-escape-string (or equivalent) for regular string literals, and an amended escape function JUST for string literals that are intended to be used in LIKE.Note that the “like” operator requires an *additional* level of escaping for its special characters, *on top of* that performed by mysql_escape_string. But there is no built-in function for performing this escaping. Here is a function that does it:
function escape_sql_wild($s)
/* escapes SQL pattern wildcards in s. */
{
$result = array();
foreach(str_split($s) as $ch)
{
if ($ch == "\\" || $ch == "%" || $ch == "_")
{
$result[] = "\\";
} /*if*/
$result[] = $ch;
} /*foreach*/
return
implode("", $result);
} /*escape_sql_wild*/