$name = "John O'Brien"; $name = mysqli_real_escape_string($conn, $name); $sql = "INSERT INTO users (name) VALUES ('$name')"; mysqli_query($conn, $sql);
$search = "Widget'; DROP TABLE users;"; $search = mysqli_real_escape_string($conn, $search); $sql = "SELECT * FROM products WHERE name = '$search'"; mysqli_query($conn, $sql);In this example, the `$search` variable contains an attempted SQL injection attack. However, `mysqli_real_escape_string` is used to escape the special characters, rendering the attack ineffective. `mysqli_real_escape_string` is part of the PHP MySQLi extension.