need guidance on how this mysql real escape string works on this statement, i don't want mysqli and the pdo types. i have tried it, but it is not working, need some help about this
$UserName =mysql_real_escape_string($_POST['UserName']);
$password =mysql_real_escape_string($_POST['Password']);
// Insert data into mysql
$sql1="INSERT INTO UserDetail (UserName,Password,Email_Address,Verifycode,AcoountStatus)VALUES('$UserName','$encry_pass','$email','$verify_code','Inactive')";
it is not working … the strings like
/>., still can be enter in the sql database
It is working.
mysql_real_escape_string is a function that escapes characters which have special meaning in SQL.
/ and > do not have special meaning in SQL, so it shouldn't touch them.
If they did have special meaning, then the point of the function is to allow them to be inserted into the database. It makes changes such as converting ' (meaning "Start or end an SQL string") to \' (meaning "An apostrophe").