Issue with mysql_real_escape_string

Question

I have the following query:
SELECT * FROM ships WHERE shipCode="SP"
SELECT * FROM ships WHERE shipCode=\\"SP\\"

The first works fine, the second which is the result of calling mysql_real_escape_string on the first string, doesn't work and gives the useless error message #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\"SP\\"' at line 1 #1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\"SP\\"' at line 1

What's wrong with it?

shipCode is a VARCHAR(2)

Answer 1

You're not supposed to call mysql_real_escape_string on the whole string. You use it only on the values you're concatenating into your query.

Wrong:

$query = 'SELECT * FROM ships WHERE shipCode="' . $var . '"';
$query = mysql_real_escape_string($query);

Right:

$query = 'SELECT * FROM ships WHERE shipCode="' . mysql_real_escape_string($var) . '"';

Even better: Prepared statements.

Answer 2

you need to have valid connection with mysql set up before you use mysql_real_escape string . do it like this

$attr="sp";
Select * from ships where shipcode = '" . mysql_real_escape_string($attr) . "';