I am using mysqli_real_escape_string() function for prevent SQl Injection.My code
<?php
// open a connection
$dhost = 'localhost';
$duser = 'user';
$dpw = 'pass';
$dname = 'db_name';
$connection = mysqli_connect($dhost, $duser, $dpw, $dname);
// test the connection
if(mysqli_connect_errno()){
die('Something went wrong with the database<br><br> '
. mysqli_connect_error() . ':'
. mysqli_connect_errno());
}
$query = "Isn't it nice that we don't have to escape ' characters all by ourselves?";
echo $query.'<br>';
$escaped = mysqli_real_escape_string($connection , $query);
echo $escaped.'<br>';
mysqli_query($connection,"INSERT into emp (name) VALUES ('$escaped')");
mysqli_close($connection);
?>
when I print $escaped variable it gives output like :
Isn\'t it nice that we don\'t have to escape \' characters all by ourselves?
But when I saw the database field I found this :
Isn't it nice that we don't have to escape ' characters all by ourselves?