How To Properly Escape A String Via Php And Mysql

Can someone explain what is the difference between using mysql_real_escape_string on a string or wrapping `` around the column. For example 'insert into table (``column``) values

Solution 1:

There's a difference between the backtick ` and the single quote '.

The backtick is intended to escape table and field names that may conflict with MySQL reserved words. If I had a field named date and a query like SELECT date FROM mytable I'd need to escape the use of date so that when MySQL parses the query, it will interpret my use of date as a field rather than the datatypedate.

The single quote ' is intended for literal values, as in SELECT * FROM mytable WHERE somefield='somevalue'. If somevalue itself contains single quotes, then they need to be escaped to prevent premature closing of the quote literal.

Solution 2:

Those two aren't related at all (as far I know anyway)

From the manual : http://php.net/manual/en/function.mysql-real-escape-string.php

Escapes special characters in the unescaped_string, taking into account the current character set of the connection so that it is safe to place it in a mysql_query().

So essentially what it does is, it will escape characters that are unsafe to go into mysql queries (that might break or malform the query)

So o'reily will become o\'reily