无需连接数据库即可替代mysql_real_escape_string [英] Alternative to mysql_real_escape_string without connecting to DB
问题描述
我想拥有一个不连接数据库就表现为mysql_real_escape_string的功能,因为有时我需要在没有数据库连接的情况下进行干式测试. mysql_escape_string已被弃用,因此是不可取的.我的一些发现:
I'd like to have a function behaving as mysql_real_escape_string without connecting to database as at times I need to do dry testing without DB connection. mysql_escape_string is deprecated and therefore is undesirable. Some of my findings:
http://www.gamedev.net/community/forums/topic.asp?topic_id = 448909
http://w3schools.invisionzone.com/index.php?showtopic=20064
推荐答案
没有数据库连接就无法安全地转义字符串. mysql_real_escape_string()
和准备好的语句需要连接到数据库,以便它们可以使用适当的字符集转义字符串-否则,使用多字节字符仍然可以进行SQL注入攻击.
It is impossible to safely escape a string without a DB connection. mysql_real_escape_string()
and prepared statements need a connection to the database so that they can escape the string using the appropriate character set - otherwise SQL injection attacks are still possible using multi-byte characters.
如果您只是进行测试,那么您也可以使用mysql_escape_string()
,它不能100%保证不会受到SQL注入攻击,但是如果没有数据库连接就无法构建更安全的东西.
If you are only testing, then you may as well use mysql_escape_string()
, it's not 100% guaranteed against SQL injection attacks, but it's impossible to build anything safer without a DB connection.
这篇关于无需连接数据库即可替代mysql_real_escape_string的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!