MYSQL Real Escape String PHP

MYSQL Real Escape String with PHP

You should sanitize data before inserting or updating data from forms into a mysql database. Two common methods are to use the functions mysql_real_escape_string() or addslashes().

Note:
If you plan to update the data in the future, using the stripslashes function applied to the selected data will remove the slashes. Otherwise, you could end up with a string like John\'s shoes.

Here is a method to use the mysqli_real_escape_string() function

A)
//Use the function with a post variable.
$var = mysqli_real_escape_string($db, $_POST['name']);

B)
//Set a variable that is the form post data. Then, make a new variable equal to the post data.
$var = mysqli_real_escape_string($db, $name);

Here is how a query would look with a sanitized variable:

$command= "INSERT INTO table values (NULL, '$var',  now());";
$result = mysqli_query($db, $command);