Combating SQL injection with mysqli real_escape_string

We have just seen how raw user input can be injected into an SQL query and used to alter the logic of the query. The culprit is the single quote; if this was not allowed to enter the SQL query, the problem would be solved.

To achieve this, we need to escape these quote marks with backslashes, just as we did earlier on in the lesson on string delimiters. One way of doing this is to use the PHP function mysql_real_escape_string().