The mysql_real_escape_string() prepares input for database storage:
mysql_real_escape_string() calls MySQL’s library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ‘, ” and \x1a.
mysql_real_escape_string() shouldn’t be used to sanitize HTML, it should only be used on data that you’re about to store in a database. Your sanitization process should look like this:
Input
- Accept user input from a form or HTTP request
- Create database query using
mysql_real_escape_string()in the SQL statement
Output
- Fetch data from the database
- Run any user-defined data through
htmlspecialchars()before printing
Using a database driver such as MySQLi or PDO allows you to use prepared statements, which take care of escaping most inputs for you.