The function adds an escape character, the backslash, \, before certain potentially dangerous characters in a string passed in to the function. The characters escaped are

该函数在传递给该函数的字符串中的某些潜在危险字符之前添加一个转义字符、反斜杠\。转义的字符是

\x00, \n, \r, \, ', " and \x1a.

\x00、\n、\r、\、'、" 和 \x1a。

This can help prevent SQL injection attacks which are often performed by using the ' character to append malicious code to an SQL query.

这有助于防止 SQL 注入攻击，这些攻击通常是通过使用 ' 字符将恶意代码附加到 SQL 查询来执行的。

Say you want to save the string I'm a "foobar"in the database.
Your query will look something like INSERT INTO foos (text) VALUES ("$text").
With the $textvariable replaced, this will look like this:

假设您想将字符串保存I'm a "foobar"在数据库中。
您的查询将类似于INSERT INTO foos (text) VALUES ("$text").
随着$text变量替换，这将是这样的：

INSERT INTO foos (text) VALUES ("I'm a "foobar"")

Now, where exactly does the string end? Youmay know, an SQL parser doesn't. Not only will this simply break this query, it can also be abused to inject SQL commands you didn't intend.

现在，字符串到底在哪里结束？您可能知道，SQL 解析器没有。这不仅会简单地破坏此查询，还可能被滥用以注入您不想要的 SQL 命令。

mysql_real_escape_stringmakes sure such ambiguities do not occur by escapingcharacters which have special meaning to an SQL parser:

mysql_real_escape_string通过转义对 SQL 解析器具有特殊意义的字符，确保不会出现此类歧义：

mysql_real_escape_string($text)  =>  I\'m a \"foobar\"

This becomes:

这变成：

INSERT INTO foos (text) VALUES ("I\'m a \"foobar\"")

This makes the statement unambiguous and safe. The \signals that the following character is not to be taken by its special meaning as string terminator. There are a few such characters that mysql_real_escape_stringtakes care of.

这使得声明明确且安全。该\信号下列字符不是由它的特殊含义为字符串结束服用。有几个这样的角色mysql_real_escape_string需要照顾。

Escaping is a pretty universal thing in programming languages BTW, all along the same lines. If you want to type the above sentence literally in PHP, you need to escape it as well for the same reasons:

顺便说一句，转义在编程语言中是非常普遍的事情，始终如一。如果您想在 PHP 中逐字输入上述句子，出于相同的原因，您也需要将其转义：

$text = 'I\'m a "foobar"';
// or
$text = "I'm a \"foobar\"";

PHP's mysql_real_escape_stringfunctionis only a wrapper for MySQL's mysql_real_escape_stringfunction. It basically prepares the input string to be safely used in a MySQL string declarationby escaping certain characters so that they can't be misinterpreted as a string delimiter or an escape sequence delimiter and thereby allow certain injection attacks.

PHP 的mysql_real_escape_string函数只是对MySQLmysql_real_escape_string函数的封装。它基本上通过转义某些字符来准备在MySQL 字符串声明中安全使用的输入字符串，以便它们不会被误解为字符串分隔符或转义序列分隔符，从而允许某些注入攻击。

The realin mysql_real_escape_stringin opposite to mysql_escape_stringis due to the fact that it also takes the current character encoding into account as the risky characters are not encoded equally in the different character encodings. But you need to specify the character encoding change properlyin order to get mysql_real_escape_stringwork properly.

在实际中mysql_real_escape_string在相反的mysql_escape_string是，由于这样的事实，它也需要在当前字符编码成帐户作为危险字符不是在不同的字符编码同样编码。但是，你需要正确指定字符编码的变化，以获得mysql_real_escape_string正常工作。

Best explained here.

最好在这里解释。

http://www.w3schools.com/php/func_mysql_real_escape_string.asp

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

http://www.w3schools.com/php/func_mysql_real_escape_string.asp

http://www.tizag.com/mysqlTutorial/mysql-php-sql-injection.php

It generally it helps to avoid SQL injection, for example consider the following code:

它通常有助于避免 SQL 注入，例如考虑以下代码：

<?php
// Query database to check if there are any matching users
$query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'";
mysql_query($query);

// We didn't check $_POST['password'], it could be anything the user wanted! For example:
$_POST['username'] = 'aidan';
$_POST['password'] = "' OR ''='";

// This means the query sent to MySQL would be:
echo $query;
?>

and a hacker can send a query like:

黑客可以发送如下查询：

SELECT * FROM users WHERE user='aidan' AND password='' OR ''=''

SELECT * FROM users WHERE user='aidan' AND password='' OR ''=''

This would allow anyone to log in without a valid password.

这将允许任何人在没有有效密码的情况下登录。

The mysql_real_escape_string()helps you escape special characters such as single quote etc that users may submit to your script. You need to escape such characters because that comes in handy when you want to avoid SQL Injection.

这mysql_real_escape_string()可以帮助您转义用户可能提交给您的脚本的特殊字符，例如单引号等。您需要转义这些字符，因为当您想避免SQL Injection时这会派上用场。

I would sugggest you to check out:

我建议你检查一下：

mysql_real_escape_string() versus Prepared Statements

mysql_real_escape_string() 与准备好的语句

To be on much safer side, you need to go for Prepared Statementsinstead as demonstrated through above article.

为了更安全，您需要使用准备好的语句，而不是如上面的文章所示。

The mysqli_real_escape_string()function escapes special characters in a string for use in an SQL statement.

该mysqli_real_escape_string()函数转义字符串中的特殊字符以在 SQL 语句中使用。