escape special character from string in php

Pass string in this function.

function clean($string){ $string = str_replace(' ', '-', $string); // Replaces spaces with hyphens. return preg_replace('/[^A-Za-z0-9\-]/', '', $string); // Removes special chars. } 

For more info, check this Remove Special Character - Stackoverflow

The mysqli_real_escape_string() function escapes special characters in a string for use in an SQL statement.

Syntax:

mysqli_real_escape_string(connection,escapestring); 

Example Escape special characters in a string:

<?php $con=mysqli_connect("localhost","my_user","my_password","my_db"); // Check connection if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); } // escape variables for security $firstname = mysqli_real_escape_string($con, $_POST['firstname']); $lastname = mysqli_real_escape_string($con, $_POST['lastname']); $age = mysqli_real_escape_string($con, $_POST['age']); $sql="INSERT INTO Persons (FirstName, LastName, Age) VALUES ('$firstname', '$lastname', '$age')"; if (!mysqli_query($con,$sql)) { die('Error: ' . mysqli_error($con)); } echo "1 record added"; mysqli_close($con); ?> 

connection Required. Specifies the MySQL connection to use

escapestring Required. The string to be escaped. Characters encoded are NUL (ASCII 0), \n, \r, \, ', ", and Control-Z.

You can use str_replace, for example ;

str_replace(array(':', '-', '/', '*'), '', $string); 

If you need to escape characters that would break a regex / PCRE function (e.g., preg_match()) if not escaped, you can use preg_quote()

For example, let's say your needle and haystack are:

$needle = "needle("; $haystack = "ibivfdubdvwbneedle(cihbdhcbds"; 

The following preg_match() will throw a warning:

var_dump(preg_match("/" . $needle . "/", $haystack)); -----> WARNING preg_match(): Compilation failed: missing ) at offset 7 on line number 9 bool(false) 

because a left parenthesis is a character used in regular expression syntax. However, if you use preg_quote() on the needle, the left parenthesis will be escaped and the regex check will execute:

var_dump(preg_match("/" . preg_quote($needle) . "/", $haystack)); ----> int(1) 

More discussion about preg_quote() here.

You can use addcslashes().

Returns a string with backslashes before characters that are given in second parameter

<?php echo addcslashes("union [", '+,-,[,]'); // output: union \[ ?> 

use the system function $city = $mysqli->real_escape_string($city);

here : http://php.net/manual/en/mysqli.real-escape-string.php

If you want to use the string for database's SQL operation then You can escape special characters in mysqli using function mysqli_real_escape_string().

Syntax:

mysqli_real_escape_string(connection,escapestring);

Example:

<?php $con=mysqli_connect("localhost","my_user","my_password","my_db"); // Check connection if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); } // escape variables for security $your_string = 'string "hi" '; $escaped_string = mysqli_real_escape_string($con, $your_string); $sql = 'select * from tablename where fields like "%'.$escaped_string. '%" '; $result = $conn->query($sql); //here you can iterate over result array for displaying result ?> 

you can use addslashes() to escape the string, which Returns a string with backslashes added before characters like:

• single quote (')
• double quote (")
• backslash (\)
• NUL (the NUL byte)

But addslashes() has some vulnerabilities to sql injections for detail see the answer of this question Examples of SQL Injections through addslashes(), so better to use mysqli_real_escape_string() function if you are doing database operations.

Or if you want to escape characters for regular expressions then you can use preg_quote ( string $str [, string $delimiter = NULL ] ), which puts a backslash in front of every character that is part of the regular expression syntax. regular expression characters are: . \ + * ? [ ^ ] $ ( ) { } = ! < > | : -

Note: But be careful preg_quote() will not escape single(') or double quote(").