MYSQL Real Escape String with PHP
You should sanitize data before inserting or updating data from forms into a mysql database. Two common methods are to use the functions mysql_real_escape_string() or addslashes().
If you plan to update the data in the future, using the stripslashes function applied to the selected data will remove the slashes. Otherwise, you could end up with a string like John\’s shoes.
Here is a method to use the mysqli_real_escape_string() function
//Use the function with a post variable.
$var = mysqli_real_escape_string($db, $_POST[‘name’]);
//Set a variable that is the form post data. Then, make a new variable equal to the post data.
$var = mysqli_real_escape_string($db, $name);
Here is how a query would look with a sanitized variable:
$command= “INSERT INTO table values (NULL, ‘$var’, now());”;
$result = mysqli_query($db, $command);