如果绑定参数,是否必须使用mysql_real_escape_string? [英] Do I have to use mysql_real_escape_string if I bind parameters?
问题描述
我有以下代码:
function dbPublish($status)
{
global $dbcon, $dbtable;
if(isset($_GET['itemId']))
{
$sqlQuery = 'UPDATE ' . $dbtable . ' SET active = ? WHERE id = ?';
$stmt = $dbcon->prepare($sqlQuery);
$stmt->bind_param('ii', $status, $_GET['itemId']);
$stmt->execute();
$stmt->close();
}
}
在这种情况下,我需要mysql_real_escape_string还是可以吗?
Do I need to mysql_real_escape_string in this case or am i okay?
推荐答案
不,您不必自己逃避价值(即,您不需要致电mysqli_real_escape_string
),当您使用准备好的语句时:数据库引擎会自己执行.
No, you don't have to escape value yourself (i.e. no you don't need to call mysqli_real_escape_string
), when you are using prepared statements : the DB engine will do that itself.
(实际上,如果您调用mysql_real_escape_string
并使用绑定参数,则您的字符串将被转义两次-并不是很好:您最终会到处转义字符...)
(Actually, if you were calling mysql_real_escape_string
and using bound parameters, your strings would get escaped twice -- which would not be great : you'd end up with escaping characters everywhere...)
附带说明:您的值以整数(如'ii'
所示)传递,因此即使您未使用预处理语句,也不必调用mysql_real_escape_string
:名称表示,此函数用于转义...字符串.
As a sidenote : your values are passed as integers (as indicated by the 'ii'
), so you wouldn't have to call mysql_real_escape_string
, even if you were not using prepared statements : as its name indicates, this function is used to escape... strings.
对于整数,我通常只使用 intval
来确保确实注入到SQL查询中的数据是整数.
For integers, I generally just use intval
to make sure the data I inject into my SQL queries really are integers.
(但是,由于您使用的是预先准备好的查询,因此您不必再进行这种转义)
这篇关于如果绑定参数,是否必须使用mysql_real_escape_string?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!