Oracle 5.0 Reference Manual page 2317

mysql_real_escape_string
prepends backslashes to the following characters: \x00, \n, \r, \, ',
This function must always (with few exceptions) be used to make data safe before sending a query to
MySQL.
Security: the default character set
The character set must be set either at the server level, or with the API function
mysql_set_charset
concepts section on
Parameters
unescaped_string
link_identifier
Return Values
Returns the escaped string, or
Examples
Example 20.69. Simple
mysql_real_escape_string
<?php
// Connect
$link = mysql_connect('mysql_host', 'mysql_user', 'mysql_password')
OR die(mysql_error());
// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
mysql_real_escape_string($user),
mysql_real_escape_string($password));
?>
Example 20.70. An example SQL Injection Attack
<?php
// We didn't check $_POST['password'], it could be anything the user wanted! For example:
$_POST['username'] = 'aidan';
$_POST['password'] = "' OR ''='";
// Query database to check if there are any matching users
$query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'";
mysql_query($query);
// This means the query sent to MySQL would be:
echo $query;
?>
The query sent to MySQL:
SELECT * FROM users WHERE user='aidan' AND password='' OR ''=''
Original MySQL API (Mysql)
calls MySQL's library function mysql_real_escape_string, which
for it to affect mysql_real_escape_string. See the
character sets for more information.
The string that is to be escaped.
The MySQL connection. If the link identifier is not specified, the
last link opened by
mysql_connect
is found, it will try to create one as if
with no arguments. If no connection is found or established, an
level error is generated.
E_WARNING
on error.
FALSE
2297
and \x1a.
"
is assumed. If no such link
mysql_connect
example
was called