search for in the  
<mysql_errormysql_fetch_array>
Last updated: Thu, 19 May 2005

mysql_escape_string

(PHP 4 >= 4.0.3, PHP 5)

mysql_escape_string -- Escapes a string for use in a mysql_query

Description

string mysql_escape_string ( string unescaped_string )

This function will escape the unescaped_string, so that it is safe to place it in a mysql_query(). This function is deprecated.

This function is identical to mysql_real_escape_string() except that mysql_real_escape_string() takes a connection handler and escapes the string according to the current character set. mysql_escape_string() does not take a connection argument and does not respect the current charset setting.

Parameters

unescaped_string

The string that is to be escaped.

Return Values

Returns the escaped string.

ChangeLog

VersionDescription
4.3.0 This function became deprecated, do not use this function. Instead, use mysql_real_escape_string().

Examples

Example 1. mysql_escape_string() example

<?php
$item = "Zak's Laptop";
$escaped_item = mysql_escape_string($item);
printf("Escaped string: %s\n", $escaped_item);
?>

The above example will output:

Escaped string: Zak\'s Laptop

Notes

Note: mysql_escape_string() does not escape % and _.

See Also

mysql_real_escape_string()
addslashes()
The magic_quotes_gpc directive.



User Contributed Notes
mysql_escape_string
codeslinger at compsalot dot com
05-Feb-2005 02:49
er um...  version_compare did not exist prior to 4.1.0

in any case, adding slashes and dealing with magic quotes etc.  is a sure recipe for major headaches.

You can avoid a whole slew of problems by converting your strings to hex (bin2hex) before passing them to mySQL

mySQL will accept any value in the form of
0xFEAC1234...

It will then automagically convert it back to a string for storage and retrieval while avoiding all of the zillions of problems with special characters.

I have done this with some very large records and never had a problem.
04-Feb-2005 02:03
Here's the solution I came up with for unescaping.  I'm not a "real" programmer so there's probably some huge problem with this.  I've been using it for a while and it seems to work okay though.

function escape_string($string) {

   $string = nl2br($string);
   if(version_compare(phpversion(),"4.3.0")=="-1") {
     $string = mysql_escape_string($string);
   } else {
     $string = mysql_real_escape_string($string);
   }
   return $string;
}

function unescape_string($string) {
  stripslashes($string);
  $string = str_replace('<br />', Chr(13), $string);
  return $string;
  }
boris-pieper AT t-online DOT de
15-Jan-2005 05:07
Using a function like escape_string make sure you allways use optimal escape function...

Note: You should use mysql_real_escape_string() (http://php.net/mysql_real_escape_string) if possible (PHP => 4.3.0) instead of mysql_escape_string().

<?php

function escape_string ($string) {
   if(version_compare(phpversion(),"4.3.0")=="-1") {
     mysql_escape_string($string);
   } else {
     mysql_real_escape_string($string);
   }
}

?>
06-Oct-2004 04:10
Note, there seems to be no good way to unescape the strings. Using this converts newlines to /n or /r/n, strip slashes leaves them as n or rn.

<mysql_errormysql_fetch_array>
 Last updated: Thu, 19 May 2005
Copyright © 2001-2005 The PHP Group
All rights reserved.		 This unofficial mirror is operated at: The Server Pages
Last updated: Thu May 19 17:35:34 2005 CDT