mysql_real_escape_string() calls MySQL’s library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ‘, ” and \x1a.
This function must always be used to make data safe before sending a query to MySQL.
A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn’t defined, the last MySQL connection is used.
Using mysql_real_escape_string() in php we can prevent database attacks ,a small example shown below
What could be happen if we are not using mysql_real_escape_string() function on the username and password:
This means that anyone could log in without a valid password!
To prevent these attacks use mysql_real_ escape_string() function.
• mysql_real_escape_string() is necessary to control what the users are storing in the database and to prevent sql injection.
• mysql_real_escape_string ensures that whatever the user enters is processed first before it is stored in the database and characters with special meaning to the sql engine is properly escaped.