I'm currently using mysqli_real_escape_string. It is working fine but I want to know whether there is a function more broader, which will escape more characters than the predefined ones like ',",\r etc.
Asked
Active
Viewed 37 times
-1
-
http://stackoverflow.com/questions/14114411/remove-all-special-characters-from-a-string – Saravanan N Jun 17 '16 at 06:06
-
I have tried addslashes() too, but its almost the same as mysqli_real_escape_string() – ankita kedia Jun 17 '16 at 06:08
-
Why not use [prepare](http://php.net/manual/en/mysqli.prepare.php) and [bind_param](http://php.net/manual/en/mysqli-stmt.bind-param.php) – Saty Jun 17 '16 at 06:13
-
Every character can be escaped, but based on what you said (inserting that string with the single quote), that's not what you want. With real_escape_string that will get correctly escaped. So what's your actual problem? – Evert Jun 17 '16 at 06:21
-
Note that was a response to a comment of OP that was deleted afterwards. – Evert Jun 17 '16 at 06:21
1 Answers
-1
You should treat the data depending on it's context.
So when you put it in a mysql database you want to treat it so it does not interfere with the internal processes.
When you want to output the data in a browser you treat it so it can not be processed in a way it is not meant to. By just 'randomly' escaping everything you are just distorting data.
But if you really want to... I guess you could use preg_replace(), str_replace(), or addcslashes() to build your own 'escaping' function. You just have to define those charakters you want to escape (and then search and replace them with '\'+the charakter, in case of preg_- and str_replace).
If you don't want to just escape every data but it is about getting the string correctly into the database you might want to just use Prepared Statements. They work a little different from normal queries so the values don't have to be treated in a specific way. http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
Philipp
- 2,787
- 2
- 25
- 27