mysql_real_escape_string() and stripslashes()

I just get some knowledge which i want to share, its about sql injection. Its one of a way to hack, im gonna try to share a way to prevent it.

Sql Injection can be describe as an attack toward a site through sql. Normaly, the attacks use quotes(” ‘ “) to cut the sql codes and sending a new one.

First i dont know that php already create a code to prevent sql injection, just find it out. The codes below gonna show the usage.


$string = “sql’inject’ion”;
$connection = mysql_connect(“DB_HOST”, “DB_USER”, “DB_PASSWORD”);
$filter_name = mysql_real_escape_string($string, $connection );

first you need to make a connection first, thats how it works. Normaly you echo $string the result is sql’inject’ion but if you echo $filter_name the result is sql\’inject\’ion.

Now you must be wondering if you use that code then the data that’s been saved gonna be like sql\’inject\’ion in the database, then if you echo it from the database its not gonna change back to sql’inject’ion. The code below gonna help you to changed it back to normal words again.


echo stripslashes($filter_name);

Hopefully my short preventation about the sql injection can be useful.

Leave a Reply

Your email address will not be published. Required fields are marked *