mysql_real_escape_string VS加上斜线 [英] mysql_real_escape_string VS addslashes

问题描述

有人可以从PHP手册中了解这两个函数之间的区别

Can someone shed some light on the differences between these 2 functions, from the PHP manual

加斜杠: 返回一个字符串，该字符串在数据库查询等中需要加引号的字符之前带有反斜杠.这些字符是单引号(')，双引号()，反斜杠()和NUL(NULL字节).

addslashes: Returns a string with backslashes before characters that need to be quoted in database queries etc. These characters are single quote ('), double quote ("), backslash () and NUL (the NULL byte).

mysql_real_escape_string: mysql_real_escape_string()调用MySQL的库函数mysql_real_escape_string，该函数将反斜杠添加到以下字符前:\ x00，\ n，\ r，\，'，'和\ x1a.

mysql_real_escape_string: mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.

从我收集到的主要区别是\ x00，\ n \ r \ x1a不会引起斜线，您能告诉我它的意义是什么吗?

from what i gather the major difference is \x00, \n \r \x1a which addslashes doesnt escape, can you tell me what the significance of that is?

谢谢

推荐答案

您引用的内容可能来自文档，但据我所知不一定是正确的.

What you quote is probably from the doc, but as far as I know it's not necessarily true.

addslashes在通常令人不安的字符上添加斜杠. mysql_real_escape_string可以转义任何需要转义的MySQL.这可能比addslashes要处理的字符更多或更少.

addslashes adds slashes to characters that are commonly disturbing. mysql_real_escape_string escapes whatever MySQL needs to be escaped. This may be more or less characters than what addslashes takes care of.

此外，mysql_real_escape_string不一定会添加斜杠以进行转义.虽然我认为这样做是可行的，但MySQL的最新版本通过将两个引号放在一起而不是在其前面加上斜线来转义引号.

Also, mysql_real_escape_string will not necessarily add slashes to escape. While I think it works if you do it that way, recent versions of MySQL escape quotes by putting two of them together instead of by putting a slash before it.

我相信您应该始终使用数据提供者的转义功能，而不要使用addslashes，因为addslashes可能会为您的用途做太多或做不到足够的工作.另一方面，mysql_real_escape_string 知道如何做准备将字符串嵌入查询中的字符串.即使有关如何转义内容的规范发生了变化，并且突然之间您不再使用反斜杠，您的代码仍然可以正常工作，因为mysql_real_escape_string会意识到这一点.

I believe you should always use your data provider's escape function instead of addslashes, because addslashes may either do too much or not enough work for the purpose you use it. On the other hand, mysql_real_escape_string knows what to do to prepare a string for embedding it in a query. Even if the specs change about how to escape stuff and suddenly it's not backslashes that you should use anymore, your code will still work because mysql_real_escape_string will be aware of it.

这篇关于mysql_real_escape_string VS加上斜线的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！